On Sun, 01 Nov 2009 20:19:46 +0000 Magnus Therning <magnus@therning.org> wrote:
On 01/11/09 15:06, Karol Babioch wrote:
Hi,
I'm wondering whether there is a possibility to encrypt a remote system using Arch Linux? I have installed Arch on a remote server, and don't like the idea that anyone with physical access to my system has access to my data. So is there something I can do about it?
Using dm-crypt (with luks) doesn't work at all, as I can't input the passphrase when I reboot my system, the technician would really hate me if I ask them to attach a remote console each time I reboot my system.
So is there anything I can do?
AFAICS there is *nothing* you can do against someone with physical access. Encrypting the disk will only protect it while it's at rest, as soon as you've booted the system you're back to the situation where you have to trust the physical hardware, network, etc.
I assume you're talking about encrypting the *entire system* (as opposed to just your home directory, since that would be obviously without any effect at all). Given that, out of curiosity, how do you plan on getting the password to the remote system at boot time?
/M
1) if your server supports it, you could use IPMI serial-over-lan 2) you can encrypt your / or /home, there are ways to have the early userspace start an ssh daemon so you can connect it. 3) if you're really paranoid: somebody could overwrite your bios/bootloader/early userspace and sniff your password when you enter it (remotely). 4) and then there is what Magnus said. (IIRC ipmi SOL is plaintext) Dieter