| 1 |
On Tuesday, June 03, 2014 09:53:58 PM Matti Nykyri wrote: |
| 2 |
> On Jun 2, 2014, at 18:29, "J. Roeleveld" <joost@××××××××.org> wrote: |
| 3 |
> > I actually meant the software side: |
| 4 |
> > - How to wipe the keys and then wipe the whole memory. |
| 5 |
> |
| 6 |
> The dm-crypt module inside kernel provides a crypt_wipe_key function that |
| 7 |
> wipes the memory portion that holds the key. It also invalidates the key, |
| 8 |
> so that no further writes to the drive can occur. Suspending the device |
| 9 |
> prior is recommended: |
| 10 |
> |
| 11 |
> dmsetup suspend /dev/to-device |
| 12 |
> dmsetup message /dev/to-device 0 key wipe |
| 13 |
|
| 14 |
Thank you for this, wasn't aware of those yet. |
| 15 |
Does this also work with LUKS encrypted devices? |
| 16 |
|
| 17 |
> When you boot into your kernel you can setup a crash kernel inside your |
| 18 |
> memory. The running kernel will not touch this area so you can be certain |
| 19 |
> that there is no confidential data inside. Then you just wipe the area of |
| 20 |
> the memory of the original kernel after you have executed your crash |
| 21 |
> kernel. |
| 22 |
> |
| 23 |
> So I do this by opening /dev/mem in the crash kernel and then mmap every |
| 24 |
> page you need to wipe. I use the memset to wipe the page. Begin from |
| 25 |
> physical address where your original kernel is located and walk the way up. |
| 26 |
> Skip the portion where you crash kernel is! Crash kernel location is in |
| 27 |
> your kernel cmdline and the location of the original kernel in your kernel |
| 28 |
> config. |
| 29 |
|
| 30 |
Hmm.. this goes beyond me. Will need to google on this to see if I can find |
| 31 |
some more. Unless you know a good starting URL? |
| 32 |
|
| 33 |
> > I would keep the system controlling all that off the internet with only a |
| 34 |
> > null-modem cable to an internet-connected server using a custom protocol. |
| 35 |
> > |
| 36 |
> > Anything that doesn't match the protocol initiates a full lock-down of the |
| 37 |
> > house. ;) |
| 38 |
> |
| 39 |
> But it is much more convenient to control everything from you phone via |
| 40 |
> internet. Just have everything setup in a secure manner. Anyways it's |
| 41 |
> easier for a common burglar to break the window then to hack the server! |
| 42 |
> And you can not steal the stereos by hacking the server ;) |
| 43 |
|
| 44 |
Perhaps, but I would have added security shutters to all the windows and doors |
| 45 |
which are also controlled by the same system. Smashing a window wouldn't help |
| 46 |
there. |
| 47 |
Especially if the only way to open those is by getting the server (which by |
| 48 |
then went into a full lock-down) to open them... |
| 49 |
Now only to add a halo fire suppression system to the server room and all you |
| 50 |
need to do is find a way to dispose of the mess.... ;) |
| 51 |
|
| 52 |
-- |
| 53 |
Joost |
Archives