[Freedombox-discuss] DreamPlugs arrived this week, work fine. Network experiment?

Wed Apr 13 17:04:13 UTC 2011

On Wed, Apr 13, 2011 at 03:22:33PM +0100, Philip Hands wrote:
> On Wed, 13 Apr 2011 15:16:39 +0200, bertagaz at ptitcanardnoir.org wrote:
> > Hi,
> > 
> > Maybe one way to start working on the freedombox with this plug you
> > received might be to install debian on it, with encrypted rootfs, and then
> > install a bunch of the software/services listed on the wiki, with minimal
> > configuration and try to benchmark it to see how it behaves.
> 
> Just out of curiosity, why encrypt the rootfs?
> 
> I'd be mildly concerned that one is reducing the reliability and
> performance of the system for no real gain.
> 
> One needs to choose whether to put the keys on the box (and so render
> the encryption rather pointless) or to insist that one enters a passphrase
> on reboot, and thus render the system unable to do an unattended reboot.

Depends, the key might stored on a usb stick that you have to plug in the
FB so that it can boot.

> Also, if the reason for FB is to keep data safe from serious people from
> the TLAs, I'm sure they're capable of swiping the machine while keeping
> it powered up, and so preserving a filesystem key in RAM.

Not sure to know what TLA means, but still, the scenario you're describing
is easily worked around by shutting down the FB *before* they get their
hand on it (and carefully wipe the memory).

> Also, also, if you are worrying about them swiping the storage and
> attacking that, then you have given them a load of known plain-text by
> encrypting the whole operating system, which seems unwise -- it would be
> better to only encrypt the actual secrets, rather than /bin/bash etc..

I'm no crypto expert, but I don't think breaking an encrypted disk is as
easy as knowing that /bin/bash is on the disk.

> I'm not saying that one should not for instance use encrypted file
> systems on your laptop, if you're planning on carrying it around with
> you, but the point of FB seems to be that it remain locked inside your
> house, so having it able to boot back up after a power interruption
> seems like a more useful feature.

Well, depends on how you consider your house is "safe". Also, that might
be a good feature to have the possibility to host your FB elsewhere than
in your house, sometimes it's safer this way.

bert.