[Freedombox-discuss] encrypted root, manual boot [was Re: DreamPlugs arrived this week, work fine. Network experiment?]

Tony Godshall togo at of.net
Thu Apr 14 22:42:19 UTC 2011


...
>> One needs to choose whether to put the keys on the box (and so render
>> the encryption rather pointless) or to insist that one enters a passphrase
>> on reboot, and thus render the system unable to do an unattended reboot.
>
> Depends, the key might stored on a usb stick that you have to plug in the
> FB so that it can boot.

Interesting.  A standard linux install on a stick intended for some
other purpose with a grub stanza with a root= referencing the
freedombox's partition would do it.  You'd have to mount it when you
upgrade kernels, I guess, but otherwise it could be removed after
boot.  AFAIK you wouldn't even need to mount /boot after booting.  And
nothing on the FB would be unencrypted except its RAM.

>> Also, if the reason for FB is to keep data safe from serious people from
>> the TLAs, I'm sure they're capable of swiping the machine while keeping
>> it powered up, and so preserving a filesystem key in RAM.

> Not sure to know what TLA means, but still, the scenario you're describing

FBI?  CIA?  NSA?  KGB? FSB? SVR?  I'm guessing, of course.  (And
bringing probably their surveillance to this discussion.)

> is easily worked around by shutting down the FB *before* they get their
> hand on it (and carefully wipe the memory).

Yeah, like in Cryptonomicon.  Mag-wipe device on the door, plus remote
in and write a shell /dev/random to /dev/sd[a-z] while sitting cross-legged
ontop of your car.  Well, I may have gotten the details wrong.

...

T



More information about the Freedombox-discuss mailing list