I'm setting up some new Ubuntu servers, and I'd like to secure the data on them against theft. The threat model is attackers desiring the hardware or rather naïve attackers desiring the data.
Please take note of this section.
The threat model does not include smart attackers desiring the data; I presume they will do one or more of the following:
-
Splice a UPS into power cable in order to keep the machine running continuously.
-
Insert a pair of Ethernet bridges between the computer and the network termination point that will bridge the traffic over a wireless network of sufficient range that the host will maintain network connectivity.
-
Open the box and use a probe on the memory bus to grab interesting stuff.
-
Use TEMPEST devices to probe what the host is doing.
-
Use legal means (such as a court order) to force me to disclose the data
-
Etc. Etc.
So what I want is to have some, or ideally all, of the data on the disk on an encrypted partition, with the key material necessary to access it on external media of some sort. Two methods I can think of for storing the key material are:
-
Store it on a remote host accessible via the network, and configure enough of the network to retrieve it during the boot process. Retrieval would be allowed only to the IP address assigned to the secured host (thus not allowing access to the encrypted data if it were booted on another network connection) and could be disabled by administrators if the machine were discovered to be stolen.
-
Store it on a USB storage device that is made in some way significantly more difficult to steal than the host itself. Locating it remote from the host, such as at the end of a five meter USB cable leading off into another corner of the room, or even another room, would probably significantly decrease the chances of attackers taking it. Securing it in some way, such as by chaining it to something immobile, or even putting it into a safe, would work even better.
So what are my options for setting this up? As I said before, I'd prefer to have everything (aside from perhaps a small boot partition that does not contain /etc) encrypted, so that I don't have to worry about where I'm putting files, or where they're accidentally landing.
We're running Ubuntu 9.04, if it makes any difference.
Best Answer
I know of a clever variant of Option 1 called Mandos.
It uses a combination of a GPG key pair, Avahi, SSL and IPv6 all added to your initial RAM disk to securely retrieve its root partition's key password. If the Mandos server isn't present on the LAN your server is an encrypted brick or the Mandos server hasn't seen a heartbeat from the Mandos client software for a given period of time it will ignore future requests for that key pair and the server is an encrypted brick next time it boots.
Mandos Homepage
Mandos README