1 |
On Tuesday, June 03, 2014 09:53:58 PM Matti Nykyri wrote: |
2 |
> On Jun 2, 2014, at 18:29, "J. Roeleveld" <joost@××××××××.org> wrote: |
3 |
> > I actually meant the software side: |
4 |
> > - How to wipe the keys and then wipe the whole memory. |
5 |
> |
6 |
> The dm-crypt module inside kernel provides a crypt_wipe_key function that |
7 |
> wipes the memory portion that holds the key. It also invalidates the key, |
8 |
> so that no further writes to the drive can occur. Suspending the device |
9 |
> prior is recommended: |
10 |
> |
11 |
> dmsetup suspend /dev/to-device |
12 |
> dmsetup message /dev/to-device 0 key wipe |
13 |
|
14 |
Thank you for this, wasn't aware of those yet. |
15 |
Does this also work with LUKS encrypted devices? |
16 |
|
17 |
> When you boot into your kernel you can setup a crash kernel inside your |
18 |
> memory. The running kernel will not touch this area so you can be certain |
19 |
> that there is no confidential data inside. Then you just wipe the area of |
20 |
> the memory of the original kernel after you have executed your crash |
21 |
> kernel. |
22 |
> |
23 |
> So I do this by opening /dev/mem in the crash kernel and then mmap every |
24 |
> page you need to wipe. I use the memset to wipe the page. Begin from |
25 |
> physical address where your original kernel is located and walk the way up. |
26 |
> Skip the portion where you crash kernel is! Crash kernel location is in |
27 |
> your kernel cmdline and the location of the original kernel in your kernel |
28 |
> config. |
29 |
|
30 |
Hmm.. this goes beyond me. Will need to google on this to see if I can find |
31 |
some more. Unless you know a good starting URL? |
32 |
|
33 |
> > I would keep the system controlling all that off the internet with only a |
34 |
> > null-modem cable to an internet-connected server using a custom protocol. |
35 |
> > |
36 |
> > Anything that doesn't match the protocol initiates a full lock-down of the |
37 |
> > house. ;) |
38 |
> |
39 |
> But it is much more convenient to control everything from you phone via |
40 |
> internet. Just have everything setup in a secure manner. Anyways it's |
41 |
> easier for a common burglar to break the window then to hack the server! |
42 |
> And you can not steal the stereos by hacking the server ;) |
43 |
|
44 |
Perhaps, but I would have added security shutters to all the windows and doors |
45 |
which are also controlled by the same system. Smashing a window wouldn't help |
46 |
there. |
47 |
Especially if the only way to open those is by getting the server (which by |
48 |
then went into a full lock-down) to open them... |
49 |
Now only to add a halo fire suppression system to the server room and all you |
50 |
need to do is find a way to dispose of the mess.... ;) |
51 |
|
52 |
-- |
53 |
Joost |