Subject: cgd and remote keys
To: None <email@example.com>
From: Curt Sampson <firstname.lastname@example.org>
Date: 12/31/2007 15:33:18
I've been thinking recently about how to add some additional security
to hosts in less-secure physical locations, where there's a possibility
they could be stolen. I'd like to use CGD to encrypt parts of the disks,
but it always seemed rather pointless if the key was in a file on the
disk, and of course the machine can't reboot unattended if it's not.
A solution to this did occur to me, however. If I added a new key
generation method to cgdconfig that made a TCP connection to a given
host, sent an identifier, and read back a key or passphrase, I could
have a server (or group of servers) elsewhere on the net supply that.
That server could refuse to return the information if the request came
from an unexpected IP address, and I could also disable that key in the
server if I found out the machine had been stolen (which I would very
quickly if I were monitoring it via Nagios or whatever).
For an unecrypted connection, this means that the perpetrator of a back
bag job would need to either sniff the key/passphrase in an exchange
before stealing the host, or compromise one of the servers holding the
key/passphrase. The former attack could be prevented by using IPSec.
I would also need to add a post-network /etc/rc.d/cgd script, probably
reading from a different config file (/etc/cgd/cgd-net.conf).
Of course, one couldn't encrypt one's root partition with this method,
but for encrypting something like /home or a data partition, it would be
Does this seem like a reasonable idea? Does anybody have any further
comments? Is there an existing protocol we might use that would be as
simple as a simple TCP connection? (HTTP comes to mind.) Would anybody
object to me writing and committing this, along with committing a simple
server to pkgsrc?
Curt Sampson <email@example.com> +81 90 7737 2974
Mobile sites and software consulting: http://www.starling-software.com