Discussion:
[Ltsp-discuss] Encrypted NBD root
Ivan Mincik
2015-06-01 20:03:39 UTC
Permalink
Dear LTSP developers,
I am wondering if it is possible to setup encrypted NBD root device
which I want to use in some other Open Source project. I have just
found, that LTSP is using encrypted NBD, but only for swap device. Is
there any technical reason, that it is not possible to do so for root
device ?

Thanks a lot


- --
Ivan Minčík
***@gmail.com GPG: 0x79529A1E
http://imincik.github.io/0x79529A1E.key
***@gista.sk GPG: 0xD714B02C
http://imincik.github.io/0xD714B02C.key
Alkis Georgopoulos
2015-06-02 04:32:55 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear LTSP developers,
I am wondering if it is possible to setup encrypted NBD root device
which I want to use in some other Open Source project. I have just
found, that LTSP is using encrypted NBD, but only for swap device. Is
there any technical reason, that it is not possible to do so for root
device ?
If the server is to encrypt something, and only specific (=LTSP) clients
to be able to decrypt it, then they need some special information from
the server, e.g. the server's private encryption key or something.

How are you planning to deploy that to netbooted clients?
They need local storage for that... alternatively, the root file system
encryption can be based on the client's hardware specific information,
that is transferred securely to the server and used as a seed to the
server's private encryption key (multi-key encryption).

For the swap partition it's not the same, it's the client itself that
formats + encrypts the swap partition, not the server.
Ivan Mincik
2015-06-02 12:35:50 UTC
Permalink
Post by Alkis Georgopoulos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear LTSP developers, I am wondering if it is possible to setup
encrypted NBD root device which I want to use in some other Open
Source project. I have just found, that LTSP is using encrypted
NBD, but only for swap device. Is there any technical reason,
that it is not possible to do so for root device ?
If the server is to encrypt something, and only specific (=LTSP)
clients to be able to decrypt it, then they need some special
information from the server, e.g. the server's private encryption
key or something.
How are you planning to deploy that to netbooted clients? They need
local storage for that... alternatively, the root file system
encryption can be based on the client's hardware specific
information, that is transferred securely to the server and used as
a seed to the server's private encryption key (multi-key
encryption).
I was thinking that if we would use encrypted root, only system
administrator would be able to boot client machines by manually
entering password. Or, do you know any better solution ?
Post by Alkis Georgopoulos
For the swap partition it's not the same, it's the client itself
that formats + encrypts the swap partition, not the server.
Thanks for explanation.


- --
Ivan Minčík
***@gmail.com GPG: 0x79529A1E
http://imincik.github.io/0x79529A1E.key
***@gista.sk GPG: 0xD714B02C
http://imincik.github.io/0xD714B02C.key
Άλκης Γεωργόπουλος
2015-06-03 04:26:56 UTC
Permalink
Post by Ivan Mincik
I was thinking that if we would use encrypted root, only system
administrator would be able to boot client machines by manually
entering password. Or, do you know any better solution ?
If you're willing to go to each client and enter a username/password,
you might as well use a USB stick with a kernel/initrd and the
encryption key with it, and boot with that
(and of course remove it 5 seconds later, when the kernel/initrd are loaded).

To avoid that, read about multi-key encryption and also try to find a
way like dmidecode with which you can get a static seed from each
client, readable only by root.

Cheers,
Alkis
Ivan Mincik
2015-06-03 09:37:28 UTC
Permalink
Post by Άλκης Γεωργόπουλος
Post by Ivan Mincik
I was thinking that if we would use encrypted root, only system
administrator would be able to boot client machines by manually
entering password. Or, do you know any better solution ?
If you're willing to go to each client and enter a
username/password, you might as well use a USB stick with a
kernel/initrd and the encryption key with it, and boot with that
(and of course remove it 5 seconds later, when the kernel/initrd are loaded).
To avoid that, read about multi-key encryption and also try to find
a way like dmidecode with which you can get a static seed from
each client, readable only by root.
Thank you very much Alkis, this brings a new ideas to my problem.


- --
Ivan Min?ík
***@gmail.com GPG: 0x79529A1E
http://imincik.github.io/0x79529A1E.key
***@gista.sk GPG: 0xD714B02C
http://imincik.github.io/0xD714B02C.key

Loading...