N
N
nivs2014-03-08 23:19:59
linux
nivs, 2014-03-08 23:19:59

How to organize full encryption of a Linux system?

There is a need to close the Linux system from external reading by giving the machine to the client.
Is it possible to encrypt the SSD with the system in such a way that it is decrypted _only_ when the system itself starts? So that there was no way to remove the SSD and decrypt it. The maximum that I came up with was to solder a USB drive with a launch key to the motherboard, but it would be possible to connect to the contacts and read the data.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
P
Puma Thailand, 2014-03-08
@opium

Why take anything out?
I can just copy it to the same flash drive when the disk is decrypted.

C
custos, 2014-03-09
@custos

Here you need to take a comprehensive approach to the matter, while handing over the keys along with the data, you should not count on much. You can complicate the life of a hacker as follows:
1) Calculate the key from the IDs of the components, or use the IDs of the components to check the integrity, i.e. if something has changed, then clean everything up qualitatively.
2) Instead of screws, blind rivets, and in the body of the sensor to taste (for example, shock) on the open case, check accordingly at startup.
3) Think of what kind of thread is the "proprietary" power cord, respectively soldering the contacts on the SSD, so that the standard one would take it out of a standing position, or at least not work.
Well, everything like that ... in other words, it is not realistic to protect data, by software, giving them along with the keys!

D
Deerenaros, 2014-05-06
@Deerenaros

Well ... They turned it down. What other keys are on the flash drive?
We stretch the section with links on LVM 'e on the ciphered section. It is desirable, of course, to stretch / usr (/ bin with / var and / tmp too) and / etc, and / boot is also better in a separate place. The big key is stored on the disk in encrypted form with some symmetric passphrase cipher. There is an even more advanced version with certificate mounting (that is, EDS), but I hope, if this is required, google it yourself.

G
Gem, 2014-06-02
@Gem

You need something called a smart card or a crypto token - a complete analogue of the actual TPM without a couple of nuances, from the pros - non-recoverable private keys

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question