Encryption, paranoia and virtual machines

Jamon Camisso jamon.camisso-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Fri Nov 25 16:52:28 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/25/2011 11:29 AM, Neil Watson wrote:
> On Fri, Nov 25, 2011 at 11:11:07AM -0500, Alex Volkov wrote:
>> Encrypting logical volumes on shared host is snake oil.
> 
> In my scenario the host is not shared.  The hosting company has physical
> access to the host but no login. In such a case I think there is still
> value to encryption.  It is just a question of how to apply it.

I haven't used it, but TRESOR looks like a really valuable encryption
tool for folks who run servers (or encrypted laptops with sensitive
info): http://www1.informatik.uni-erlangen.de/tresor

Briefly, it protects against cold boot attacks by running AES operations
for disk encryption 100% outside of RAM (instead TRESOR uses CPU debug
registers). This would mitigate against a cold boot attack in the event
that a server was seized (mistakenly or otherwise) and powered off, or a
laptop stolen and it's RAM contents dumped.

Of course the usual proviso applies - that if an attacker is
sophisticated enough to know how to deal with and defeat your encryption
scheme, moving the key from RAM is just making an attack more difficult.

But at least they can't power off the machine to carry one out
immediately. Instead an attacker would have to pull off an evil maid
attack and wait for you to access the machine. At that point, if your
information is that sensitive then I'd expect the machine should be
treated as compromised anyway..

Jamon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJOz8fEAAoJEDJp9n+rTckFkj8P/1jcxvsO6BhSw8Nq7jSeDZp6
BOrNP98XD6oRxyHLU6LnLDrBB58kGxTSOxdLvIJkHzVbl5NDi4A42wQAUcblc12I
T/iruKfhdy4KqqI9B4hKBTMJBDQhq0Y+R925grr/R5UUUaNiXxM2oqEtUxAFo5Ic
uXi+YF+c1AYBSa30MzRG6FyoerFo33J9rFnCqOkA/3IXW3I5Fq/Dq3JLg6lUFomQ
VhF1iUspFDuJx8njJbcwIzjoBMTf46HZ+EQ4Tqo/dY2ClmJhA540PDSJQoM0i3za
Qy18sbLoUdRheSTdrQHIKuPJ46Hn3fqBIZVs0fL2729rnfvQ5cjnlrCwxJbyk0xP
9HdwLm9B/YsGctooPvMNDY9jZsEPvcKDhzXDZiysPTsfYd141/PE+/YH4wz5eVOD
QE2g9ly3aOKrtxwwMEq0me6sP8i6MFHGvSew2kC+XLvRQE2ftQf/+Dw8Rx5bwVkI
fEmV31YGdZslzw8PNwQrKTfC61tOAyXH6KMXDPuSD5bdCIYFnBcrTYKOIeEyLWTU
M9emX7AWf69aQ7vy29SFdYrfgBwzWaSqY9FUs1Ov5o58TKy7J4KmIpOB5dmeK8fY
cLuGY53STczbOD2CPa+DEwoUxrdXNOTXqEd1nJKQuuWt7SqZ+J9yzMl5q0gViFpR
g6QJDHPf+JKFLLF4ZSMH
=tCMs
-----END PGP SIGNATURE-----
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list