non-interactive full disk encryption
March 9, 2011 10:03 AM Subscribe
I'm tasked with attempting to build a secure virtual appliance. Problem is, I'm trying to stop people from gaining root access to the appliance via single user mode. This leads to a need for disk encryption, any ideas on how to create encrypted disk that wouldn't require someone to put in a password (plug in usb, interact with the boot process) to boot and still be relatively secure?
You can put a password in grub so they can't get into single user mode. Also put a password in the BIOS and disable any booting except for the main disk. Secure the tower and off you go.
You can go the encryption route, but this is easier, especially if you don't have a need for full disk encryption other than avoiding the single-user mode.
posted by damn dirty ape at 10:15 AM on March 9, 2011
You can go the encryption route, but this is easier, especially if you don't have a need for full disk encryption other than avoiding the single-user mode.
posted by damn dirty ape at 10:15 AM on March 9, 2011
I'm not entirely sure about your setup (and for various reasons, can see why you can't say more). But more context would help a great deal.
If your concern is runlevel (single user mode), then busybox only supports one runlevel.
However, all things considered, to quote an old prof, the only real secure box is one not connected to anything and guarded by people with guns.
posted by k5.user at 10:15 AM on March 9, 2011
If your concern is runlevel (single user mode), then busybox only supports one runlevel.
However, all things considered, to quote an old prof, the only real secure box is one not connected to anything and guarded by people with guns.
posted by k5.user at 10:15 AM on March 9, 2011
If you're using a standard motherboard for this appliance, you could restrict the ability to boot off of other media (set HD to 1st device, and prevent boot selector), then password protect the BIOS so it cannot be changed by just anyone. Encryption usually relies on a password or a TPM/USB key. So you're probably better off preventing interaction with the boot process from the get-go.
If you have any additional information on the host OS, I'm sure we could provide some additional security tools to help lock it down.
posted by samsara at 10:17 AM on March 9, 2011
If you have any additional information on the host OS, I'm sure we could provide some additional security tools to help lock it down.
posted by samsara at 10:17 AM on March 9, 2011
You're talking about a VM image here right? There's really no way to secure this because if you have the VM image it's the same as having the hard drive of the machine, meaning you can just mount the image and manipulate it any way you want bypassing any protection. Sure you can encrypt it, but they will still be able to find the password in the bootloader and decrypt it since the password has to be stored in the VM image somewhere.
posted by Rhomboid at 10:28 AM on March 9, 2011 [1 favorite]
posted by Rhomboid at 10:28 AM on March 9, 2011 [1 favorite]
encryption isn't a solution to "stop someone at the console from getting to single user mode", it's a solution to "stop someone taking the disk out or booting of other media and seeing what's int he filesystem".
if your threat model doesn't include the drive being physically removed and inspected elsewhere, then as others have said you should be fine with locking down the BIOS and the booter so that an attacker can't alter the kernel command line or boot off alternate media.
if you do need to be protected against physical intervention with the boot drive then encryption of that device will only help you if the attacker can't boot the system without having someone come along and type in a passphrase or stick in a USB stick with some key material on it or whatever. if the system can independently access its own key material in order to decrypt the filesystem backing store then your attacker can also access that key material.
posted by russm at 2:23 PM on March 9, 2011
if your threat model doesn't include the drive being physically removed and inspected elsewhere, then as others have said you should be fine with locking down the BIOS and the booter so that an attacker can't alter the kernel command line or boot off alternate media.
if you do need to be protected against physical intervention with the boot drive then encryption of that device will only help you if the attacker can't boot the system without having someone come along and type in a passphrase or stick in a USB stick with some key material on it or whatever. if the system can independently access its own key material in order to decrypt the filesystem backing store then your attacker can also access that key material.
posted by russm at 2:23 PM on March 9, 2011
This is probably harder than you think.
One of the most important things in computer security (any security, I suppose) is to know what you are defending against: how determined are they, how resourceful, how much time and equipment do they have. You don't seem to have done this?
If you really want to protect against someone who has the ability to open the case, I think your only option is tamper-detection mechanisms that wipe the crypto keys if someone tries. Don't forget to protect against cold boot attacks— say, by including a UPS inside an armored case inside the outer case that'll power the machine long enough to wipe all the DRAM.
posted by hattifattener at 9:20 PM on March 9, 2011 [1 favorite]
One of the most important things in computer security (any security, I suppose) is to know what you are defending against: how determined are they, how resourceful, how much time and equipment do they have. You don't seem to have done this?
If you really want to protect against someone who has the ability to open the case, I think your only option is tamper-detection mechanisms that wipe the crypto keys if someone tries. Don't forget to protect against cold boot attacks— say, by including a UPS inside an armored case inside the outer case that'll power the machine long enough to wipe all the DRAM.
posted by hattifattener at 9:20 PM on March 9, 2011 [1 favorite]
Best answer: This is impossible. You are handing people the castle and the keys.
All you can do is build a moat: make it more difficult to get at what you are trying to hide.
You should look at a good contract, along with code obfuscation.
posted by devnull at 8:31 AM on March 17, 2011
All you can do is build a moat: make it more difficult to get at what you are trying to hide.
You should look at a good contract, along with code obfuscation.
posted by devnull at 8:31 AM on March 17, 2011
This thread is closed to new comments.
It would help to know more about what you're trying to accomplish here. If you're just trying to prevent users from rooting the box in single user mode, just password protect the bios and the bootloader, set the bootloader to not accept any additional options from the console, and set the bios not to boot from any device besides the main HD. Beyond that, what are the threats you're looking to prevent?
posted by zachlipton at 10:14 AM on March 9, 2011