Geli questions
Brooks Davis
brooks at one-eyed-alien.net
Wed Aug 23 19:02:00 UTC 2006
On Wed, Aug 23, 2006 at 02:17:02PM -0400, Jeff Palmer wrote:
> Hello,
>
>
> Let me preface the email by saying I'm not overly familiar with geli, and
> it may already have the ability to do what I'm about to describe.
>
> The scenario: A FreeBSD based appliance at a customer premise. The
> customer really can't be trusted not to disasemble the box, and gain
> knowledge about the box configuration, software, and design.
>
> The idea: I'd like to use geli to encrypt *everything* on the disk. So
> if someone (a competitor maybe) removes the disk from the machine, he
> can't gain any data off of it easily. I know nothing is 100%, but why
> make the process easy for him?
>
> The problem: I don't want the end user to have to do anything to the box,
> to have it "come back up" after a reboot/power failure. The goal is an
> appliance that the client just plugs in, and forgets about it.
>
> The plan: the appliance would be persistantly connected to an SSL based
> VPN server at my central office. (Think OpenVPN server) I'd like a way
> for geli to encrypt the entire disk, but fetch the key from a server
> located on the VPN. this would require the appliance to boot up, access
> the internet (static IP), access the VPN (ssl key'd) and fetch the key
> that geli needs.
>
> Is this currently possible using geli (or even other software that I may
> not have heard of) or if not, would it be overly difficult to
> implement?
What you want isn't possible, period. There must be unencrypted code
somewhere in the process that has access to the decryption key so if
that code can be subverted they can read everything. For example see
information on hacking the xbox where they built custom hardware and had
a virtually unlimited budget (and no concern about making a profit):
http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html
That said, if you can boot from non-replaceable board PROM or flash
memory and you disable all alternate booth methods (this probably
required BIOS source code) you could probably use an externally stored
key if you really wanted to. The network thing probably is not
worth doing since it won't add much security and would add a lot of
complexity as well as requiring very expensive hosting to protect you
against product liability issues when your ISP suffers a failure.
If your product is sold to people you can make sign a contract that's
likely to be more cost effective, possibly coupled with a little
obfuscation and judicious use of tamper detection mechanisms.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060823/f04a572b/attachment.pgp
More information about the freebsd-hackers
mailing list