disk encryption for unmanned Ubuntu 10.04 servers 1

[NewtownGuy]

I need to put unmanned Ubuntu 10.04 servers in the field. I would like to encrypt the hard drive so its contents can't be copied if a server is stolen. There's a disk encryption option in the Ubuntu installer that I thought might be useful.

But, since the server is unmanned, how does the encryption key get entered each time the server boots without risk of loss of, for example, a USB stick with the key on it ? Can the key be on the encrypted hard drive so the server can be booted, and protected by login, but the hard drive not copied ?

The server is connected to the Internet, and uses OpenVPN for communications with appropriate firewalls on the server. Each server has a unique, revokable security key.

Thank you in advance.

--

 

[Noway2]

This is a definite "between a rock and a hard place" question. The very first thing you need to determine is exactly what it is that you want to keep away from prying eyes should this system get stolen. What I mean is, do you really care if they see standard system binaries that are available from the repositories?

One big problem you face is booting, especially being a remote system. First, you can encrypt the hard drive, or at least portions of it. You will need an unencrypted boot section to get things started. The next obstacle is as you mentioned, login. Normally, what one does to avoid the situations mentioned above is to encrypt the /home partition or even a 'private' subset of it for placing sensitive files. These sections get mounted and decrypted when a valid user password is entered. With a remote server location, this can be a real problem.

Another factor to remember, since you mention physical theft of the hardware, is that physical access == root access. Once they have the physical machine, there are a lot of things that can be done, including using a live CD, altering the BIOS, removing the HDD, etc. At this point, there are ways to gain root privilege and change the user passwords rendering your encryption void. As an aside, I once had a problem like this with a co-worker who changed my password simply to view my home folder and then couldn't change it back and got caught as a result.

If you really have files that you don't want them to access if it is physically stolen, there may be better ways like not putting them physically on the drive and setting it up to have a remote network based file system.

 

[NewtownGuy]

to: Noway2

Thank you for your reply.

The sole purpose of the unmanned system is to continuously acquire sensitive data with a data rate so high that it can only be stored on the local hard drive. That process begins upon boot and runs indefinitely. A network connection is provided so relatively small amounts of data can be accessed remotely via a secure connection using Open VPN.

All I really need to protect is the folder with the data.

Doesn't Ubuntu Server 10.04's whole-disk encryption encrypt everything except whatever little is required to boot ?

I've considered using a serial console connection to a modem to feed in the encryption key from a remote source when the system boots, but someone could sniff that connection during booting and steal the key...

There must be a way...

--

 

[Noway2]

The Achilles Heal of the encryption idea is that you would need to have a user log in to decrypt the partition and using automatic log in defeats the purpose.

If the system were able to come up at least in a rudimentary fashion, you could have it send you an alert in some fashion and then you could open an SSH connection, start the process in an application such as screen which you can disconnect from.

I am honestly not familiar enough with the whole disk encryption to to know how far up it will bring the system. I think that it would have to leave an unencrypted boot section, though.

Could you perchance encrypt the data as it is being written to the disk? This would only require a public key and you wouldn't need to decrypt anything to mount or run the system? Off hand, I don't think the overhead would be any greater, and likely less than, having the whole file system encrypted. Without having the decryption key located on the system (if possible), it would prevent a lot of avenues of attack should the box be stolen.

 

[IPGuru]

the auto login is definetly a problem as that woudl render the data visible even when stolen.

I am not 100% sure if this is posible & may depend on the encrytion fs in use but is it possible to have the key stored on a renote shared location?
then once of site the key would not be visible so no more access to the data.

I cant help further as I do not realy know encrypted files systems

I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[hdingman]

I'd agree with Noway2, and something like OpenPGP is probably your best bet in this situation. Then the unattended system can boot unencrypted, save the data encrypted using the public key, and the data can only be decrypted with the private key which is not on the remote server. Make the key very large for good security.

http://en.wikipedia.org/wiki/Pretty_Good_Privacy

You also would have the advantage that most of the server operation will not require decryption,which will lessen system overhead, speed the reboot process and decrease latency. That's probably important in an application with "a data rate so high that it can only be stored on the local hard drive."

And lastly, will the system have predictable lulls or slack time? If so, set up CRON jobs to upload and verify the data to "home office" during the lulls, then shred the remote file after the transmission is verified. Keep absolute minimum data stored remotely, to further minimize the impact of a physical loss.