On Fri, 20 Jul 2012 21:55:52 +0200 (CEST)
Wojciech Puchar <woj...@wojtek.tensor.gdynia.pl> wrote:
> > There are certain Seagate Momentus disks that do AES encryption in
> > hardware. This means that they use an AES key to encrypt the data, and
> > you need a ("BIOS"-)password to unlock this key at boot. So whenever you
> > change the password, it's just that - the AES key stays the same. You
>
> that's how all "FDE" drives work. Already a problem as only BIOS can
> activate password, there are no command line tool.
>
> And no idea how would it work if more than one disk with FDE is installed
> on system.
According to Seagate, the password is set using the normal ATA
commands. So I *assume* that you can use the atactl tool for this. The
BIOS does nothing else...
> > Yes and no. Again, what threat are you looking at. If your adversary can
> > get physical access to your machine ("evil maid attack"), he can
> > install a root kit or key logger - which would defeat any software
>
> no concern on "evil maid" really.
>
> But simple theft from outside is definitely possible, and DID happened
> long in the past in spite of some control.
>
> Possibility of theft done for data, not machine is very likely.
>
> So lets narrow question - can such thief, with help of some kind of
> specialist - recover data from FDE encrypted drive without password?
>
> to install a boot-time key logger you would need to get here twice, once
> to shutdown server and install keylogger (which cannot be unnoticed!!!)
> and second time to actually steal it.
*) If someone can get in once unnoticed, he can do it twice. Or the
root kit sends the data out as part of other network traffic. Etc.
*) A power failure can be simulated. Or a hardware failure.
But again, then you are looking at a sophisticated attacker. They might
also have other means (how much does your admin earn? your security
guy? can he be bribed? blackmailed? threatened?).
You probably just want to protect against someone breaking into your
server room and stealing the HDs. In this case do a normal system
install (unencrypted), and encrypt the data disks. Make the admin type
in the password after reboot, via SSH or the console. Don't store the
keys on the system disk ;)
> checking out that unencrypted part didn't change after unplanned reboot is
> good idea. thanks!
You would have to do this in another system, since you can't trust this
system anymore. This is lots of manual work - is it worth in your
situation?
Some other idea: remove the local system disk. Create a read only system
on a CD (+ ramdisk for /tmp, send logs to another server) and boot from
this. Or boot it from the (protected, physically separated server-)LAN.
In the end it is always a cost/benefit (effort/threat) decision...
don't overdo it.
kind regards,
Robert
