[arch-general] Encrypting remote system

Thomas Bächler thomas at archlinux.org
Mon Nov 2 13:20:30 EST 2009

Karol Babioch schrieb:
> Hi,
> I'm wondering whether there is a possibility to encrypt a remote system
> using Arch Linux? I have installed Arch on a remote server, and don't
> like the idea that anyone with physical access to my system has access
> to my data. So is there something I can do about it?
> Using dm-crypt (with luks) doesn't work at all, as I can't input the
> passphrase when I reboot my system, the technician would really hate me
> if I ask them to attach a remote console each time I reboot my system.
> So is there anything I can do?

I thought about this topic and concluded that security will be the same 
as without encryption:

What is encryption good for? It protects against someone with physical 
access being able to decrypt your data. Once the machine is running, 
you'd have to circumvent the usual access control, whether the system is 
encrypted or not.

This security relies on two things:
1) The passphrase ensures that only authorized people can access the 
data on the drive.
2) Somehow, you need to ensure that you only give the passphrase to the 
machine it belongs to.

The first point would be rather easy, even with a remote system. But the 
second is the problem.

On your desktop or laptop, you verify 2) by looking at it and saying 
"Yes, this is definitely my machine, so I can give it the passphrase". 
For a remote machine, you have to rely on cryptography. The security of 
cryptography is based on the remote machine having a private secret 
(like a private key to a certificate or a SSH private host key).
Now, as we said, encrypting the hard drive is for protecting against 
people getting physical access to your hard drive. So if someone has 
physical access to the machine, he/she can easily grab that private 
secret and perform an effective man-in-the-middle attack and sniff your 
passphrase - or even better, install a modified cryptsetup binary and 
make it save the raw encryption key in some place.

In other words: You'd have to trust the unencrypted portion of your 
system to do what you expect it to do - which you can't.

That said, such an attack is also easily possible on your desktop or 
laptop. If someone would steal the laptop, modify your kernel or 
initramfs and then give it back to you, he/she could have done anything 
to it to sniff the passphrase as you enter it. In case you can not 
ensure that the laptop has not been tampered with, you'd have to 
re-create your bootloader, kernel and initramfs from a trusted source 
before using it again (also impossible for a remote machine).

However, one bit of added security is possible for a remote machine: If 
someone steals the hard drive without getting to your passphrase first, 
he/she would not be able to obtain any data. But someone who would 
simply steal it, wouldn't be interested in your data anyway. Everyone 
who is interested can (as seen above) easily get it.

My conclusion: You should rather concentrate on securing against remote 
attacks via the network, which are more likely than physical attacks, 
and you can actually protect yourself effectively against those.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20091102/44328a70/attachment.bin>

More information about the arch-general mailing list