mmidboe@uahcs2.cs.uah.edu (Matt Midboe) writes:
What is the problem with just having a regular key file, and when the user boots up the computer it asks them a pass phrase to decrypt the key file? If they fail wipe the key and force the user to restore the key from a backup somewhere.
The problem with this is that a hostile third party who has captured a machine will first make a backup of all files on the system, including the key. It is very likely that the party will bypass the initial bootup procedure in which the key is requested, since the hostile party expects some sort of 'data bomb,' having been involved with systems confiscation for quite some time. While there are some options available, such as disallowing bootups from floppy, these are in the main cheap hacks not to be trusted for security. In this case, when the system is booted and the key is requested, even if the key is wiped, they simply restore it from backup and try again. They are likely to keep the system for several months, so they will have time to conquer any 'toy-grade' security. While it is not yet standard procedure to make a snapshot of the system memory when confiscating systems, the increasing cleverness of law enforcement and other bodies makes this seem likely in the future. So you can't have the key on the disk, nor can you have it hanging around in cleartext in memory except when encrypted data is accessed; preferably, the key should be encrypted, and on some fragile (i. e., easily destroyable) media. Any backups should be encrypted, and not easily accessible; preferably with a trusted party and not in the same building as the computer with encrypted information. ---- Robert W. F. Clark "Be sand, not oil, in the rclark@nyx.cs.du.edu machinery of the world." Gunter Eich