3

I am setting up a remote server at a collocation for a client and their primary request is that the data be encrypted beyond the boot partition. The main system will be in a dm-crypt LUKS container on the main drive, but since the kernel could be replaced maliciously in the case of a clear boot partition to capture the key it will also need protection.

In order to satisfy this concern, the only option I can think of is a drive with built in hardware encryption and to unlock it remotely via the IPMI interface. The trouble with this is that the budget for monthly costs has already been approved for one IP address, which means there's no way to easily connect to the IPMI interface without a costly physical access trip, or an even more expensive session with the project manager to increase the budget a few bucks.

What I'm hoping to find is a drive solution that includes a firmware that can be booted to, connected via SSH or HTTPS, unlock the encrypted data and chainload the boot loader which will include a kernel that loads the main LUKS array as the root partition. The interface can be USB or SATA, or even PCI-E.

I'm open to other suggestions, as this is the only serviceable option I can come up with on my own; I just can't find any solutions similar, or a term for this to search for.

ACiD GRiM
  • 123
  • 1
  • 7
  • 3
    Pony up the $5 or $10 for the extra IP and switch port. You'll need it sooner or later. – Michael Hampton Aug 24 '13 at 05:25
  • I wish it were that easy, but I'm not in a position to negotiate. I'm just in charge of setting up the server, the people in charge of the terms with the co-lo center are deep in the recesses of the client. Once the server leaves my hands, it goes to the client and my only interaction with it will be remotely for the first week. – ACiD GRiM Aug 24 '13 at 05:37
  • 2
    If I were your client, and you _didn't_ advise me to do this, I'd think you either didn't know what you were doing or were trying to rip me off. You should advise the client, even if it goes nowhere, to protect yourself if nothing else. – Michael Hampton Aug 24 '13 at 05:41

1 Answers1

6

I think Michael has the right answer. I understand completely where you're coming from, but it's not your job to presume the client's stupidity - most clients have an adequate supply of their own. Recommend the right thing and let them reject it on grounds of cost. Keep a paper trail.

Then, if they insist on a zero-cost option, you might consider using tripwire from that secured partition to check system integrity immediately after the partition has been unlocked. You can have confidence in the tripwire binaries and signature file, since they're on the encrypted partition. With those, you can have some confidence in the contents of the unencrypted partition, and the kernel and libraries thereon.

It's not perfect, but it's a lot more secure than no checks on the unencrypted partition; and you'll have offered them the chance to do better, and been rejected, if something ever does go pear-shaped.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thank you, that looks like something I can do. I've already mentioned the ease of using the IPMI interface over monthly cost increases, but my contact has shot down any suggestions that could increase costs beyond the adjustable costs(the server and my time). I do have a paper trail and haven't assumed anything about client stupidity :) - I'm going to leave this unanswered for a little while because I'm hoping someone may suggest an exact solution for my own curiosity, however this is satisfactory – ACiD GRiM Aug 24 '13 at 06:28