Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How 2 crypt partition according 2 local HW id (mac/serial)
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3625
PostPosted: Thu Jun 18, 2015 5:41 am    Post subject: How 2 crypt partition according 2 local HW id (mac/serial) Reply with quote
Hi,
May the idea is truly silly, but I have an idea to crypt a partition with embedded key.
Just to avoid pure cloning of a partition system to work on a identical second hw platform.

Any comment about the idea?

Has any one achieved such a customization?

Thks 4 ur attention, interest & support.[/u]
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Thu Jun 18, 2015 7:05 am    Post subject: Reply with quote
Encryption key based on cpu, ram, mac address, static random file (salt), ...:

https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples#Self-Decrypting_Server

You'd have to adapt it to your own needs though. Especially the /proc/meminfo is rather noisy (changes with every kernel compile).

Definitely have a backup passphrase if you use this.

Also note that obtaining mac address in early initramfs requires for the network driver to be builtin (or have the initramfs load the network module first).
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3135
PostPosted: Thu Jun 18, 2015 8:18 pm    Post subject: Reply with quote
I wonder, what is the purpose of such a setup? Replacing cheap central heating with high-tech CPU-based?
I mean, sure you can do for example
lspci -n | sha256sum
240e4eda61dfcae171d5b05a19f99acdf370ac6df28d1d8a6e9b247268573e1a -
but encrypted storage is ment to guard agains people with physical access to your toys. And this way someone with physical access has the key as well. So... Encrypted backup on external hard drive?

Quote:
Just to avoid pure cloning of a partition system to work on a identical second hw platform.
With user-defined password you can just move the drive. Would you rather recrypt it?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2977
Location: Germany
PostPosted: Thu Jun 18, 2015 8:34 pm    Post subject: Reply with quote
szatox wrote:
but encrypted storage is ment to guard agains people with physical access to your toys.


There's physical access and there's physical access.

You can walk along a rack, pop HDDs out and take them with you. Easy-peasy.

Or your datacenter pops them out when they start growing bad sectors. What they do with it then is their affair. I have a datacenter I trust completely but even there people work and people make mistakes, there was one case where a customer got the HDD of another customer along with their data.

szatox wrote:
And this way someone with physical access has the key as well.


Only true if they know a lot more detail about the box they popped the HDD out of and hopefully you have enough variables to make bruteforce unattractive.
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3625
PostPosted: Fri Jun 19, 2015 8:13 pm    Post subject: Reply with quote
Let say I want to set up an solution on arm PI and sell it.
People could try to make a copy of SD card in order to clone, install in identical HW, customize and sell behind my back.
I know what I suggest is not a strong protection, but at least they would be some.
I guess it is not so hard to reset root pwd on an offline system partition.
I just want to discourage gready noobs at first level. No it is not easy as what they expected...
Back to top
View user's profile Send private message
CaptainBlood
Advocate
Advocate


Joined: 24 Jan 2010
Posts: 3625
PostPosted: Fri Jun 19, 2015 8:30 pm    Post subject: Reply with quote
frostschutz wrote:
Encryption key based on cpu, ram, mac address, static random file (salt), ...:

https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples#Self-Decrypting_Server

Mac adress or MotherBoard Serial
You'd have to adapt it to your own needs though. Especially the /proc/meminfo is rather noisy (changes with every kernel compile).

Definitely have a backup passphrase if you use this.

Also note that obtaining mac address in early initramfs requires for the network driver to be builtin (or have the initramfs load the network module first).

Mac adress or MotherBoard Serial N° were just an example of something that may be unique to a specific platform.
Dongle key could also be the expensive way to see it...

Thanks for the link, as you saved my day... I was to early in the process to get there. Never encrypted any partition yet.

Thks 4 ur attention, interest & support
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy