Gentoo Archives: gentoo-user

From: Volker Armin Hemmann <volkerarmin@××××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Date: Mon, 02 Jun 2014 18:14:26
Message-Id: 538CBEF9.2080300@googlemail.com
In Reply to: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? by "J. Roeleveld"
1 Am 02.06.2014 16:52, schrieb J. Roeleveld:
2 > On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote:
3 >> On Jun 2, 2014, at 16:40, "J. Roeleveld" <joost@××××××××.org> wrote:
4 >>> On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote:
5 >>>> On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick <neil@××××××××××.uk> wrote:
6 >>>>> On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote:
7 >>>>>> The second option does sound what I am looking for. Basically, if I
8 >>>>>> log
9 >>>>>> out but leave my computer on, leave home, some crook/NSA type breaks in
10 >>>>>> and tries to access something or steals my whole puter, they would just
11 >>>>>> get garbage for data. That seems to fit the second option best.
12 >>>>> If they steal your computer they will have to power it off, unless you
13 >>>>> are kind enough to leave them a large enough UPS to steal along with it,
14 >>>>> so any encryption will be equally effective.
15 >>>> If you're worried about casual thieves then just about any kind of
16 >>>> properly-implemented encryption will stop them.
17 >>>>
18 >>>> If you're worried about a government official specifically tasked with
19 >>>> retrieving your computer, my understanding is that it is SOP these
20 >>>> days to retrieve your computer without powering it off for just this
21 >>>> reason. They won't use your UPS to do it. Typically they remove the
22 >>>> plug just far enough to expose the prongs, slide in a connector that
23 >>>> connects it to a UPS, and then they pull it out the rest of the way
24 >>>> now powered by the UPS.
25 >>>>
26 >>>> See something like:
27 >>>> http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/
28 >>> Hmm... Those are nice, but can be easily built yourself with an
29 >>> off-the-shelf UPS.
30 >>>
31 >>>> Presumably somebody who is determined will also have the means to
32 >>>> retrieve the contents of RAM once they seize your computer. Besides
33 >>>> directlly accessing the memory bus I think most motherboards are not
34 >>>> designed to be secure against attacks from PCI/firewire/etc.
35 >>> Hmm... add something to auto-shutdown the computer when a hotplug event
36 >>> occurs on any of the internal ports and remove support for unused ports
37 >>> from the kernel.
38 >>>
39 >>> I wonder how they'd keep a computer from initiating a shutdown procedure
40 >>> or
41 >>> causing a kernel panic when it looses (wireless) connection to another
42 >>> device that is unlikely to be moved when powered up?
43 >> Well i have a switch in the door of the server room. It opens when you open
44 >> the door. That signals the kernel to wipe all the encryption keys from
45 >> kernel memory. Without the keys there is no access to the disks. After that
46 >> another kernel is executed which wipes the memory of the old kernel. If you
47 >> just pull the plug memory will stay in its state for an unspecified time.
48 > You don't happen to have a howto on how to set that up?
49 >
50 >> Swap uses random keys.
51 >>
52 >> network switches and routers get power only after firewall-server is up and
53 >> running.
54 > networked powersockets?
55 >
56 >> There is no easy way to enter the room without wipeing the encryption keys.
57 >> Booting up the server requires that a boot disk is brought to the computer
58 >> to decrypt the boot drive. Grub2 can do this easily. This is to prevent
59 >> some one to tamper eith a boot loader.
60 >>
61 >> System is not protected against hardware tamperment. The server room is an
62 >> RF-cage.
63 >>
64 >> I consoder this setup quite secure.
65 > Makes me wonder what it is you are protecting your server from. :)
66 >
67
68 some people really want to hide their porn collection.
69
70 No, I don't know what is in that black aluminium case. Yeah, lost the
71 keys a long time ago. No, I don't want to throw it away, the plant looks
72 so nice on it ...