[arch-general] Encrypting remote system

Dieter Plaetinck dieter at plaetinck.be
Sun Nov 1 15:52:45 EST 2009


On Sun, 01 Nov 2009 20:19:46 +0000
Magnus Therning <magnus at therning.org> wrote:

> On 01/11/09 15:06, Karol Babioch wrote:
> > Hi,
> > 
> > I'm wondering whether there is a possibility to encrypt a remote
> > system using Arch Linux? I have installed Arch on a remote server,
> > and don't like the idea that anyone with physical access to my
> > system has access to my data. So is there something I can do about
> > it?
> > 
> > Using dm-crypt (with luks) doesn't work at all, as I can't input the
> > passphrase when I reboot my system, the technician would really
> > hate me if I ask them to attach a remote console each time I reboot
> > my system.
> > 
> > So is there anything I can do?
> 
> AFAICS there is *nothing* you can do against someone with physical
> access. Encrypting the disk will only protect it while it's at rest,
> as soon as you've booted the system you're back to the situation
> where you have to trust the physical hardware, network, etc.
> 
> I assume you're talking about encrypting the *entire system* (as
> opposed to just your home directory, since that would be obviously
> without any effect at all).  Given that, out of curiosity, how do you
> plan on getting the password to the remote system at boot time?
> 
> /M
> 

1) if your server supports it, you could use IPMI serial-over-lan
2) you can encrypt your / or /home, there are ways to have the early
userspace start an ssh daemon so you can connect it.
3) if you're really paranoid: somebody could overwrite your
bios/bootloader/early userspace and sniff your password when you enter
it (remotely).
4) and then there is what Magnus said. (IIRC ipmi SOL is plaintext)

Dieter


More information about the arch-general mailing list