From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 795BD1381FA for ; Tue, 3 Jun 2014 19:05:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8A70BE097E; Tue, 3 Jun 2014 19:05:50 +0000 (UTC) Received: from smtpq2.tb.mail.iss.as9143.net (smtpq2.tb.mail.iss.as9143.net [212.54.42.165]) by pigeon.gentoo.org (Postfix) with ESMTP id 71902E0956 for ; Tue, 3 Jun 2014 19:05:49 +0000 (UTC) Received: from [212.54.42.135] (helo=smtp4.tb.mail.iss.as9143.net) by smtpq2.tb.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1Wru1s-0004eh-Um for gentoo-user@lists.gentoo.org; Tue, 03 Jun 2014 21:05:48 +0200 Received: from 53579160.cm-6-8c.dynamic.ziggo.nl ([83.87.145.96] helo=data.antarean.org) by smtp4.tb.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1Wru1s-0008Vb-Hg for gentoo-user@lists.gentoo.org; Tue, 03 Jun 2014 21:05:48 +0200 Received: from andromeda.localnet (unknown [10.20.13.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by data.antarean.org (Postfix) with ESMTPSA id 08BD54C for ; Tue, 3 Jun 2014 21:05:08 +0200 (CEST) From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? Date: Tue, 03 Jun 2014 21:05:36 +0000 Message-ID: <2916348.CGJUT6OHQy@andromeda> Organization: Antarean User-Agent: KMail/4.12.5 (Linux/3.12.20-gentoo; KDE/4.12.5; x86_64; ; ) In-Reply-To: <06A7F4C9-8B0B-4C1D-9CC3-77D2F41DA886@iki.fi> References: <538B1D0A.9070405@libertytrek.org> <2018854.UoMFgieO5e@andromeda> <06A7F4C9-8B0B-4C1D-9CC3-77D2F41DA886@iki.fi> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Ziggo-spambar: ---- X-Ziggo-spamscore: -4.9 X-Ziggo-spamreport: ALL_TRUSTED=-1,BAYES_00=-1.9,PROLO_TRUST_RDNS=-3,RDNS_DYNAMIC=0.982 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No X-Archives-Salt: 3c7f36d9-3a85-438e-a8b2-71f9868c3661 X-Archives-Hash: 7e8c1448aa121d7eb0ecf5c94f4ef648 On Tuesday, June 03, 2014 09:53:58 PM Matti Nykyri wrote: > On Jun 2, 2014, at 18:29, "J. Roeleveld" wrote: > > I actually meant the software side: > > - How to wipe the keys and then wipe the whole memory. > > The dm-crypt module inside kernel provides a crypt_wipe_key function that > wipes the memory portion that holds the key. It also invalidates the key, > so that no further writes to the drive can occur. Suspending the device > prior is recommended: > > dmsetup suspend /dev/to-device > dmsetup message /dev/to-device 0 key wipe Thank you for this, wasn't aware of those yet. Does this also work with LUKS encrypted devices? > When you boot into your kernel you can setup a crash kernel inside your > memory. The running kernel will not touch this area so you can be certain > that there is no confidential data inside. Then you just wipe the area of > the memory of the original kernel after you have executed your crash > kernel. > > So I do this by opening /dev/mem in the crash kernel and then mmap every > page you need to wipe. I use the memset to wipe the page. Begin from > physical address where your original kernel is located and walk the way up. > Skip the portion where you crash kernel is! Crash kernel location is in > your kernel cmdline and the location of the original kernel in your kernel > config. Hmm.. this goes beyond me. Will need to google on this to see if I can find some more. Unless you know a good starting URL? > > I would keep the system controlling all that off the internet with only a > > null-modem cable to an internet-connected server using a custom protocol. > > > > Anything that doesn't match the protocol initiates a full lock-down of the > > house. ;) > > But it is much more convenient to control everything from you phone via > internet. Just have everything setup in a secure manner. Anyways it's > easier for a common burglar to break the window then to hack the server! > And you can not steal the stereos by hacking the server ;) Perhaps, but I would have added security shutters to all the windows and doors which are also controlled by the same system. Smashing a window wouldn't help there. Especially if the only way to open those is by getting the server (which by then went into a full lock-down) to open them... Now only to add a halo fire suppression system to the server room and all you need to do is find a way to dispose of the mess.... ;) -- Joost