Eric, thats an interesting way to do it. Though I think it would take more changes in the system than we'd like to implement.
I was actually able to get full disk encryption to work without entering the passphrase. I edited softraid.c (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/stand/libsa/softraid.c) and hardcoded a passphrase so instead of prompting for it, it will automatically try the hardcoded passphrase. I compiled the second stage boot file and applied it with installboot like normal to the encrypted disk. The system boots with no manual intervention to an encrypted disk. Its some decent obfuscation to keep curious eyes out. Doing this seems kinda hokey so I'm not sure we'll go this route, but it does give us an option at least. On Tue, Dec 9, 2014 at 4:55 PM, Eric Lalonde <eric.c.lalo...@gmail.com> wrote: > One of the services provided by a previous employer was to on-premise > appliance for customers, rented in a SAAS model. Customers paid for a certain > amount of disk space. To ensure they couldn’t just swap disks to add more > capacity, each of our disks went through a ‘blessing’ process where we > performed various interesting perturbations to the first few megs of every > disk, including a checksum that was a function of a machine and customer > identifier. > > We fully understood that these efforts would never get in the way of a > dedicated and sophisticated adversary, but the bar was low since most of the > customers were end users who were using a managed service provider and never > directly interacted with our appliance. > > You might want to try something like that to make it non-trivial for > customers to pull your data. > > - Eric > > On Dec 9, 2014, at 4:14 PM, Steve Shockley <steve.shock...@shockley.net> > wrote: > >> On 12/9/2014 2:38 PM, John Merriam wrote: >>> Oh, and no matter what you do, they could always dump the RAM from your VM >>> instance and get your data from there after it's been decrypted. >> >> The key is also likely stored in RAM, and it is simpler to get a snapshot of >> RAM from a VM than it is to get one from a physical machine.
