Hacker News new | comments | ask | show | jobs | submit login

Out of curiosity, does anyone know how volume-level encryption (like dm-crypt) holds up against this sort of thing? I find myself wondering what I'd tell customers if my server were seized as collateral damage like Instapaper's were. Will that sort of encryption serve as a plausible safeguard of customer data, or is it more of a padlock (easily broken with the right tools)?



It would certainly make it much harder to steal the data -- and at the same time it would make it much harder to boot the machine, because at some point you'd have to enter a passphrase. It's possible to do so over SSH, but it's still a bit tricky. Rebooting the server while you're away from an internet connexion will leave it in a useless state.

That being said, even with volume encryption, the key is in memory somewhere. RAM isn't wiped as quickly as you might think, and it's apparently possible to extract keys from memory after the machine has been powered down. So be warned, and be paranoid!


Indeed, the encryption keys can be recovered from memory fairly easily. http://www.usenix.org/events/sec08/tech/full_papers/halderma... is very readable; http://www.youtube.com/watch?v=JDaicPIgn9U is a well-made 5-minute introduction by the authors.


I thought this issue had been partially addressed by overwriting the memory containing the keys on unmount. Of course, that doesn't work if somebody just pulls the plug on the machine.

There was an article I read recently about a patch for the Linux kernel to store the key in CPU registers instead of memory as well...


A lot of servers I've seen have had 'chassis intrusion detection', which is a fancy way of saying they had a microswitch hooked up to one of the SMBus lines that could detect when the case is opened.

Take one of those, and a Google-style Lead-Acid internal UPS, and you'd have an incredibly hard time getting access to keys held solely in memory.

For the extra paranoid, accelerometers or a simple mercury vibration/tilt switch would make it even harder, at the risk of losing/hanging your server every time someone worked on the rack, or drove a heavy pallet cart nearby.

I recall seeing somewhere a device designed for law enforcement, which was essentially a cart-style UPS with probes designed to be clamped onto, and penetrate, the power cable, allowing seizures without any power-loss, which I assume is for this eventuality.


You don't necessarily need to encrypt the boot volume.


You tell them what Marco told them.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: