-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/10/12 19:24, grarpamp wrote:
>> *Anyone* with *any* access to the data centers that host the >> directory authorities is potentially subject to either a coercive >> or subversive >> >> As you know, I've been digging down the rabbit hole of how to >> ensure the integrity of a remote machine, and it seems impossible >> to do this without both secure boot *and* a way to verify the >> current runtime integrity. > > You can cold boot for OS fs crypto keys FYI, if you use TRESOR/Trevisor, you can protect your OS encryption keys from cold boot attacks: http://www1.informatik.uni-erlangen.de/tresor The basic idea being that your keys are shifted from RAM into the debug registers of the CPU on boot, then all future crypto is done directly on the CPU (AES-NI) without the keys re-entering RAM. Of course, you will probably still have other sensitive data in RAM. (I use this patch on my Ubuntu laptop) - -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 -----BEGIN PGP SIGNATURE----- iQGGBAEBCgBwBQJQcIhxMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBDISB/92CSZnfr2R X9bY8C8RHmh7xtuuiXDURSrwgD74jy5UPdJmemRn7xSatg3BIfwgUeHBfiIb46kr P8q5freutvhCn4n/hqY7xk85Jl0fBM8OPAsRQuRkxXYOxjr8HP2QZW6fSm/4LF/5 ZwJ+hkZeL9FWE7JGmr9MXyX35eiG7EIDab/Q1VP7oxVMVxPY1usSU7+4qZZCDpZu oXOLpDCME6Txu61Q0hEeGLdkgEsGF48G74phMKZlRpfVfoN/KVwN7W3UOVJOqdLN DiQAW3MsA22iBNwkdeFj9aHTJpRDChApp8M4uCPUaxhoL2tkSWODeVGKvK7ykU7p Tv9gDaD29mb9 =H8GX -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
