-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/04/13 11:15, Bob Proulx wrote: > In any case... I wanted to add an additional comment. I have > been thinking of doing something like this myself. I haven't done > it yet but if I were implementing this then I think I would have > the server contact a central machine elsewhere on the network to > get the keys to decrypt and mount the encrypted partitions. I am > not sure what the best mechanics would be to implement it. But I > think as soon as networking came online I would have the remote > server with the encrypted disks contact a different server that I > controlled. Have it pull the keys for the partition from there. > Then automatically mount the partitions. Then have it continue the > boot process normally and start the daemons normally. > > That way the machine can be rebooted in an automated way without > trouble. I would have them go through automatically. Then on a > normal reboot the machine would mostly behave normally. But if > the machine were stolen it wouldn't be able to get the keys and > wouldn't be able to decrypt that disk. > > Lock the key server to the remote server's IP address. The > machine could also block waiting for the external keys and allow > you to acknowledge them if you wanted the extra security. After > acknowledging them the machine would continue to boot normally. > > If the machine were stolen then the encrypted partition would not > be unlocked automatically since it would then come from a different > IP address. However knowing that IP address would give you a trail > to the thief.
This is, like many things you post, really interesting. Do you have a blog, to make these things easier to find? Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJRido7AAoJELSi8I/scBaN3UsH/2R/rB29S+ismTXAZhw4gUqG +pfIbHkEzkcrPGQbAalHQoVGpWHUIIOspSpmpXFg3mPumW09MzwlGQwNcJIqUtxa NLbvZn64XT9a0pZjdkx8CvgjRt2t3UDxAJTzGCLmLhk8S7KLahREvyBE3BjO3711 zmaA0QnojVnO1L7tXRmKfadDjLRnCUifdMVI2ZdHhlrnL9yFYvV6yipKZ9lzuwAB Zdiv89xX63SvvpN4Ld+E2A7D5swx78Gl+WYlo1NBTFppPfUH/C9Xoue3uxBcvnEv gfJ7uOTGZkD3a0thkA8k1x6pOcLsj9AC6eh51zXjonA+l+oR5EqNbvLRnUAWN3Q= =ovAq -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5189da45.70...@walnut.gen.nz
