From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D62731381FA for ; Mon, 2 Jun 2014 13:29:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F1A52E0B6E; Mon, 2 Jun 2014 13:29:26 +0000 (UTC) Received: from smtpq1.gn.mail.iss.as9143.net (smtpq1.gn.mail.iss.as9143.net [212.54.34.164]) by pigeon.gentoo.org (Postfix) with ESMTP id C6E1CE0B4E for ; Mon, 2 Jun 2014 13:29:25 +0000 (UTC) Received: from [212.54.34.136] (helo=smtp5.gn.mail.iss.as9143.net) by smtpq1.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1WrSIn-0003yC-7t for gentoo-user@lists.gentoo.org; Mon, 02 Jun 2014 15:29:25 +0200 Received: from 53579160.cm-6-8c.dynamic.ziggo.nl ([83.87.145.96] helo=data.antarean.org) by smtp5.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1WrSIm-0004gY-MN for gentoo-user@lists.gentoo.org; Mon, 02 Jun 2014 15:29:25 +0200 Received: from andromeda.localnet (unknown [213.19.196.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by data.antarean.org (Postfix) with ESMTPSA id 1E9FE4C for ; Mon, 2 Jun 2014 15:28:46 +0200 (CEST) From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? Date: Mon, 02 Jun 2014 15:29:15 +0000 Message-ID: <2018854.UoMFgieO5e@andromeda> Organization: Antarean User-Agent: KMail/4.12.5 (Linux/3.12.20-gentoo; KDE/4.12.5; x86_64; ; ) In-Reply-To: <87B44633-4D1C-483D-AE18-834F05355A94@iki.fi> References: <538B1D0A.9070405@libertytrek.org> <2862641.ndOcOWRyVd@andromeda> <87B44633-4D1C-483D-AE18-834F05355A94@iki.fi> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Ziggo-spambar: ---- X-Ziggo-spamscore: -4.9 X-Ziggo-spamreport: ALL_TRUSTED=-1,BAYES_00=-1.9,PROLO_TRUST_RDNS=-3,RDNS_DYNAMIC=0.982 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Archives-Salt: 8098c077-de53-4d1e-bb34-fd1ef13e7aef X-Archives-Hash: 18200a92e0ab97dc15ab7147e3090959 On Monday, June 02, 2014 04:23:07 PM Matti Nykyri wrote: > On Jun 2, 2014, at 17:52, "J. Roeleveld" wrote: > > On Monday, June 02, 2014 03:23:03 PM Matti Nykyri wrote: > >> On Jun 2, 2014, at 16:40, "J. Roeleveld" wrote: > >>> On Monday, June 02, 2014 07:28:53 AM Rich Freeman wrote: > >>>> On Mon, Jun 2, 2014 at 6:56 AM, Neil Bothwick wrote: > >>>>> On Mon, 02 Jun 2014 05:27:44 -0500, Dale wrote: > >>>>>> The second option does sound what I am looking for. Basically, if I > >>>>>> log > >>>>>> out but leave my computer on, leave home, some crook/NSA type breaks > >>>>>> in > >>>>>> and tries to access something or steals my whole puter, they would > >>>>>> just > >>>>>> get garbage for data. That seems to fit the second option best. > >>>>> > >>>>> If they steal your computer they will have to power it off, unless you > >>>>> are kind enough to leave them a large enough UPS to steal along with > >>>>> it, > >>>>> so any encryption will be equally effective. > >>>> > >>>> If you're worried about casual thieves then just about any kind of > >>>> properly-implemented encryption will stop them. > >>>> > >>>> If you're worried about a government official specifically tasked with > >>>> retrieving your computer, my understanding is that it is SOP these > >>>> days to retrieve your computer without powering it off for just this > >>>> reason. They won't use your UPS to do it. Typically they remove the > >>>> plug just far enough to expose the prongs, slide in a connector that > >>>> connects it to a UPS, and then they pull it out the rest of the way > >>>> now powered by the UPS. > >>>> > >>>> See something like: > >>>> http://www.cru-inc.com/products/wiebetech/hotplug_field_kit/ > >>> > >>> Hmm... Those are nice, but can be easily built yourself with an > >>> off-the-shelf UPS. > >>> > >>>> Presumably somebody who is determined will also have the means to > >>>> retrieve the contents of RAM once they seize your computer. Besides > >>>> directlly accessing the memory bus I think most motherboards are not > >>>> designed to be secure against attacks from PCI/firewire/etc. > >>> > >>> Hmm... add something to auto-shutdown the computer when a hotplug event > >>> occurs on any of the internal ports and remove support for unused ports > >>> from the kernel. > >>> > >>> I wonder how they'd keep a computer from initiating a shutdown procedure > >>> or > >>> causing a kernel panic when it looses (wireless) connection to another > >>> device that is unlikely to be moved when powered up? > >> > >> Well i have a switch in the door of the server room. It opens when you > >> open > >> the door. That signals the kernel to wipe all the encryption keys from > >> kernel memory. Without the keys there is no access to the disks. After > >> that > >> another kernel is executed which wipes the memory of the old kernel. If > >> you > >> just pull the plug memory will stay in its state for an unspecified time. > > > > You don't happen to have a howto on how to set that up? > > Well i have a deamon running and a self made logic device in COM-port. Very > simple. It has a single serial-parallel converter to do simple IO. > Currently it just controls one relay that powers the network-devices. I actually meant the software side: - How to wipe the keys and then wipe the whole memory. > >> I consoder this setup quite secure. > > > > Makes me wonder what it is you are protecting your server from. :) > > Well just a hobby. I wanted to play with electronics. The server controls my > heating, locks of the house, lights, airconditioning, fire-alarm and > burglar-alarm. Gentoo-powered house... I would keep the system controlling all that off the internet with only a null-modem cable to an internet-connected server using a custom protocol. Anything that doesn't match the protocol initiates a full lock-down of the house. ;) -- Joost