Security criteria

oneyed at gmx.de oneyed at gmx.de
Mon Jan 5 14:45:57 PST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5,SHA1

Hi,

> Whats about using crypted filesystems, like loop-aes?
> Hardening a system should not only focus on hardening
> remote and local "hacks" but also in a worst-case scenario
> with full physical access to the server. 
> A hardend system should IMO also be resistant to somebody
> how can plug the harddisks in his own computer!
Yes, I think setting up a secure system should include crypted filesystems. I'm using a nearly completly encrypted system (just one small unencrypted boot-partition that is MD5SUM- checked everytime I boot the system) on my homecomputer and everything is fine.

There are three disadvantages:

1st: It slows down the system. Made some benchmarks with bonnie++ some months ago and the result: the encrypted ext2- partition slows down by appr. 33%

2nd: If you would setup a server using crypto-fs you could be in trouble, if the systems has to reboot for some reason (i.e.: going up again after a power failure) and you are not arround - you'll have NO access to the computer from outside to type in the password. Especially at a mailserver this can be critical.

3rd: You need a rescuedisk with a crypto-enable-kernel *in any case*. It was a hard way for me to get access to my system after my boot-partition crashed and the kernel was damaged

Probably #2 und #3 can be solved by not encrypting everything, but what you have to encrypt and how you have to modify your serverprogs (i.e.: don't deliver local mail if the mailboxes are not arround) would be special for your special needs.

Thats my first though about it..

ONEYED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQEVAwUBP/npJacsheI/DXCFAQH5Qgf/TnM+RIa45EE5nmOsW/PcMJ/9IvBKtbpc
4UMGAzINW9aTTvXXadwmjM8BNyBJGloK+BS4/wWSPYiKG3/Y+C6Ghnfip0iRkIOy
V9Sqc850bWQjRa+1AOvcfpByuSazRXYHw9DnDHjPW7Ac9wPvTEerQbqNcsGUhRiR
u7jwIrA1j1AczO3E2bsC+T/hdIEzpOprenxTmrNE9QeI9BnhAj2sHmbmExRgfKj3
rCv1mV4Bcbj8TOT6m6a4HdT0zIIkyKI7xUSXSmmH0+b4ldQ09sOdY4CwiJuPad2o
ZH8syGV5s04a98iXMIIq2CWtDERQ4rgR9DHqqm6pUzuNo3qmX2+nnYg/AwUBP/np
JU7zA8NAgxQdEQKvBgCeKGbpt7EOZdeZiFk2sfh57bnaY/gAnA+k7hqMtFGY8ydm
oadxGPlTMjJE
=ty/t
-----END PGP SIGNATURE-----



More information about the hlfs-dev mailing list