Re: [Ltsp-discuss] Encrypted NBD root
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03.06.2015 06:26, ? wrote: > On Tue, 2 Jun 2015 at 15:39 Ivan Mincik > wrote: >> I was thinking that if we would use encrypted root, only system >> administrator would be able to boot client machines by manually >> entering password. Or, do you know any better solution ? > > If you're willing to go to each client and enter a > username/password, you might as well use a USB stick with a > kernel/initrd and the encryption key with it, and boot with that > (and of course remove it 5 seconds later, when the kernel/initrd > are loaded). > > To avoid that, read about multi-key encryption and also try to find > a way like dmidecode with which you can get a static seed from > each client, readable only by root. Thank you very much Alkis, this brings a new ideas to my problem. - -- Ivan Min?ík ivan.min...@gmail.com GPG: 0x79529A1E http://imincik.github.io/0x79529A1E.key ivan.min...@gista.sk GPG: 0xD714B02C http://imincik.github.io/0xD714B02C.key -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVbsrTAAoJEPfdLsR5UpoeSREH/01cDFpjJdJlb0pq0CgVO37K +Isp6HZO67yZRN25sZoiv6JyQR6256wvOIqtKY3Ljl950RlUKq5fy4dM+SWYyZuL IMSumXRLUJ1mtnMqXovIynG1zlhZtf3DYBDjzY9XKffxA7JcLflx+gEjwfqmtzJH 9scAWoS2vtHdYyyppyeay+XiNxRd/H7sHzahpMVKFdieWrSJh25qArGZLPCRZuOV bO6OZSWoGGbo71ah+9uzYL7OdHhd/Ad7Z+i7/Tys7Hx1ySbd66HfDZ5IpHLSHCDu 3AfvMlqfhdgsU+AzaimOH8b8EYPBRSqOJ8WOpm0QUly1GDd8phei23hWmg+T/Z4= =x34k -END PGP SIGNATURE- -- _ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
Re: [Ltsp-discuss] Encrypted NBD root
On Tue, 2 Jun 2015 at 15:39 Ivan Mincik wrote: > I was thinking that if we would use encrypted root, only system > administrator would be able to boot client machines by manually > entering password. Or, do you know any better solution ? If you're willing to go to each client and enter a username/password, you might as well use a USB stick with a kernel/initrd and the encryption key with it, and boot with that (and of course remove it 5 seconds later, when the kernel/initrd are loaded). To avoid that, read about multi-key encryption and also try to find a way like dmidecode with which you can get a static seed from each client, readable only by root. Cheers, Alkis -- _ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
Re: [Ltsp-discuss] Encrypted NBD root
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Alkis, thank you very much for your reply. My answers are below: On 02.06.2015 06:32, Alkis Georgopoulos wrote: > On 01/06/2015 11:03 μμ, Ivan Mincik wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Dear LTSP developers, I am wondering if it is possible to setup >> encrypted NBD root device which I want to use in some other Open >> Source project. I have just found, that LTSP is using encrypted >> NBD, but only for swap device. Is there any technical reason, >> that it is not possible to do so for root device ? >> > > If the server is to encrypt something, and only specific (=LTSP) > clients to be able to decrypt it, then they need some special > information from the server, e.g. the server's private encryption > key or something. > How are you planning to deploy that to netbooted clients? They need > local storage for that... alternatively, the root file system > encryption can be based on the client's hardware specific > information, that is transferred securely to the server and used as > a seed to the server's private encryption key (multi-key > encryption). I was thinking that if we would use encrypted root, only system administrator would be able to boot client machines by manually entering password. Or, do you know any better solution ? > > For the swap partition it's not the same, it's the client itself > that formats + encrypts the swap partition, not the server. Thanks for explanation. - -- Ivan Minčík ivan.min...@gmail.com GPG: 0x79529A1E http://imincik.github.io/0x79529A1E.key ivan.min...@gista.sk GPG: 0xD714B02C http://imincik.github.io/0xD714B02C.key -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVbaMmAAoJEPfdLsR5UpoeoJQIAJCcn0hRngixxhi9H5qGY6Kx zB4UF0tI2qE5sckd9vlcV78L6G67aI/c3JhNstvOXMT06vA+dr0ugBnMHF+SRdz0 Xskwr/1Tv+ffdKZ8Be1BgfL6hGjcInS4RE0ZAIhjrn4dBBwGbIHBwJeLAmVp0l15 Aq+6zLrTDwkT/UtR5BkO2/jDVhDYhaoVoBdoLSuYPRYObKDxSAbkmFq2OQ9bszp4 Huh3JX24/kh0l8IJPiaCtzHOkYGZC3xlgdnfHcQX0A6p1NJsvziZaVgM45GXip63 0ONVIuNa9Y8KAjOzkqP05wQQNkcWTwLjKDdNx5h9mHMcKG3yFA+f7o1ul2gVRRc= =Lm18 -END PGP SIGNATURE- -- _ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
Re: [Ltsp-discuss] Encrypted NBD root
On 01/06/2015 11:03 μμ, Ivan Mincik wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dear LTSP developers, > I am wondering if it is possible to setup encrypted NBD root device > which I want to use in some other Open Source project. I have just > found, that LTSP is using encrypted NBD, but only for swap device. Is > there any technical reason, that it is not possible to do so for root > device ? > If the server is to encrypt something, and only specific (=LTSP) clients to be able to decrypt it, then they need some special information from the server, e.g. the server's private encryption key or something. How are you planning to deploy that to netbooted clients? They need local storage for that... alternatively, the root file system encryption can be based on the client's hardware specific information, that is transferred securely to the server and used as a seed to the server's private encryption key (multi-key encryption). For the swap partition it's not the same, it's the client itself that formats + encrypts the swap partition, not the server. -- _ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
[Ltsp-discuss] Encrypted NBD root
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear LTSP developers, I am wondering if it is possible to setup encrypted NBD root device which I want to use in some other Open Source project. I have just found, that LTSP is using encrypted NBD, but only for swap device. Is there any technical reason, that it is not possible to do so for root device ? Thanks a lot - -- Ivan Minčík ivan.min...@gmail.com GPG: 0x79529A1E http://imincik.github.io/0x79529A1E.key ivan.min...@gista.sk GPG: 0xD714B02C http://imincik.github.io/0xD714B02C.key -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJVbLqbAAoJEPfdLsR5Upoe5yoH/0xgyUddFLuWjRu1BTPvouru aVq+Vtm8sv053U2m11/suxpNB4LQxl8EmuOdBH2rLoFRWKA2WxopQCsZnSXHbCyR FhtWjSaTT0thRSOPRfjz9l9JMcGBYOocYiZqKL3g76nVamxtM0lnoOBB7WOxfkAp MNIdr3vZfTdDRVHuJKOs5iMUpgRIJ/4hGJdblu5YU+pz31+S97MlMGrfcfKjBRpE IyHAFClKgwT7BRNhZ2WglbO2/EUx7bXZ+3bfouWhqM2wUz8ZLiVUh/3uVbLuC7rl msJ8vU3kNg+POoRflyZst7wYVq0sFx82g0lmZ+n+AVnmZi8wWtNhj7PZqq+nSMw= =jqBI -END PGP SIGNATURE- -- _ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net