Re: Remotely decrypting a server (Linux)



Hi Woprbyte,

The USB key route can be rules out as i want to ensure that is the
machines are stolen the thief won't also have the key necessary to
decrypt them.
One time password's look interesting, but i can't find any encryption
software that allows your to use them for auth remotely, yet keeps
encrypted as much of the box not required to be executable for boot up
and to complete this process.

I've also looked into encrypted filesystems a bit. E.g. I found this:
http://balau82.wordpress.com/2009/08/23/secure-remote-storage-using-sshfs-and-encfs/

But it seems to be more concerned with remote encryption, not decryption.

On Tue, Sep 14, 2010 at 5:09 AM, Woprbyte <woprbyte@xxxxxxxxx> wrote:
Hi Niall,

What is the physical security of the machines like?  I would recommend using something like the lamport one time password scheme that keeps the decryption password changing.  That way you could make it so no server should have same password at any one time. But you need a way to make sure the machines aren't being impersonated by an attacker.
There are some ways to help ensure this but as you pointed app to app authentication really defeats the purpose.  If you store the "key" on the remote machine in some form an attacker will find the key or will circumvent the process... I would.
That's why I suggest the one time key scheme that allows you keep the changing and can be used with nonces.  But I am not sure if you want to go through manual customization.

You could also consider something like safe net USB key.  But beware they are not 100% secure and you would want to consider physical security as the devices can be circumvented via emulation.

I don't know how valuable your data is but I tend to be paranoid and try to create as much trouble making for the attacker while balancing access as best I can.

You could use certificates on each machine.  You will have to manage them.

Just some thoughts.  I have had to do something similar.



On Sep 11, 2010, at 11:25 PM, Niall <phierstarter@xxxxxxxxx> wrote:

Hi folks,

I have a tricky one here where i need to find a way to securely
authenticate a decryption mechanism of some sort where the
authentication is provided remotely without any user-interaction.

Right now i have a number of boxes that all inform a central server
when they are online. When they do this an OpenVPN connection is set
up between them and the server.

However, i have been given the task to ensure that the scripts
involved in this process are encrypted by default. This requires some
form of self-decryption, which to my mind kind of goes against the
whole idea of encryption/authentication in the first place.

I need some way to leave decrypted the bare essentials required to
boot a box and securely connect to the central server automatically.
Then the server would automatically send a key/passphrase and the rest
of the files on the box would then be decrypted on the fly.

If anyone knows of any software that provides this (maybe through
VMs?) it would be greatly appreciated.

I should add hat i'm also open to the idea of self-encrypting hard
disks, but what i've read about these in regards to Linux support has
put me off the whole TCG model.

Thanks.


--
Niall

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





--
Niall

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Auto-update protocol
    ... shared secret/public key is the only way to do the encryption. ... successfully decryption is the authentication. ... you can get using a generic farm server, but TFTP does not have any ... are available and forgo client polling at all ... ...
    (comp.arch.embedded)
  • Re: Auto-update protocol
    ... to transfer even with a single client and no interference. ... shared secret/public key is the only way to do the encryption. ... successfully decryption is the authentication. ... you can get using a generic farm server, but TFTP does not have any ...
    (comp.arch.embedded)
  • Use RSACryptoServiceProvider for encryption and let OpenSSL decryp
    ... The client uses a public key generated by the server. ... But the server cannot decrypt the sequence from the .NET client. ... would be an obvious reason for the error during decryption. ... I tested my code so that encryption / decryption works in the C code using ...
    (microsoft.public.dotnet.security)
  • CREATE SYMMETRIC KEY
    ... Server 2005, with the main purpose to use the encryption capabilities of SQL ... CREATE SYMMETRIC KEY SSN_Key_01 ... DECRYPTION BY CERTIFICATE HumanResources037; ...
    (microsoft.public.sqlserver.security)
  • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
    (Securiteam)