[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Securing servers



On 2011-10-11 21:04 , tor@xxxxxxxxxxxxxxxxxx wrote:
> On 11/10/11 19:34, Jeroen Massar wrote:
[..]
> Regarding your comments on keys being stored in RAM on crypto
> filesystems, I have a working solution for that too. My Ubuntu laptop
> uses full disk encryption, but the key is shifted from RAM into the
> debug registers of the CPU as soon as it starts booting, and all crypto
> operations are performed directly on the CPU without the key being
> transferred back into RAM, using the CPU's AES-NI instructions.

While that indeed solves (at least makes it really hard to get to it ;)
the problem of they keys in memory/cpu-regs, it, at least from what I
can see now, does not solve the problem that if a process which is
allowed to do read/write operations on your fully encrypted disk to read
that data when somebody has compromised that process. One thing to keep
in mind. Your mail-directly-PGPd setup does not have that problem.

> This
> prevents the key being exposed during cold boot attacks. To achieve
> this, I patched my kernel using something called TRESOR. For more info
> see:
> https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks

Gotta love the part about diving with a USB stick, now I just have to
get one of those to try out if it survives at least 50m ;)

But why don't you then just use only that USB stick instead of the SSD?
Though of course the SSD is quite a bit faster, they have 16GB 3.0
editions and 64GB USB2 versions which should mostly be sufficient and
half the space of the SSD in the box.

[..]
> Another possibility would be to have a mail server as a hidden service,
> and then just set up the Internet facing server to immediately forward
> all incoming email to the hidden server via Tor.

And presto, everything is safe. And in a similar way one could setup a
Gmail account and have a hidden service use the Tor network to exit to
gmail and poll it over IMAP to fetch the email, find the mail store then ;)

Greets,
 Jeroen
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk