11:35 The remote server with a 100% encrypted and protected from the mask show | |
| To write this masterpiece, I spodvigla article "Dream paranoid or more times about encryption. Very wonderful and helpful with one exception - if they come to "mask-show", then they will take the server with all the flash drives and keys. Hence the question - how to make sure that the server did not have any traces of encryption keys, etc.? A trivial - do not store them on the server. And next to the server could not be stored. And in general anywhere in the reach of a potential attacker. The idea of ??the proposed solution is simple: On the server you want to protect (let's call it "working"), set the two systems. The first one - the minimum for normal NOT encrypted partition, and consisting of only the core, console, and network interfaces and does not use swap. Second - on an encrypted partition on a method FeNUMe. Encrypted partition must be encrypted entirely, and do not contain any headers. From the perspective of an outside observer it should be unformatted disk area filled with random data. Should be the second (called the "hidden") server, geographically located in another country and issued to another person. Server should not respond to ping requests and should take only a single IP - IP desktop server. Moreover, other compounds have clipped at the firewall - for the rest of the world except the production server hidden server - a "black hole". Download Desktop server starts with the launch of the minimum (open) unencrypted system. During the loading lift network interfaces, SSH, and ram-disk. After downloading open system, it is knocking on the second server via HTTP / HTTPS. In response to the sound of working north of the hidden server goes to the console working server protocol SSH, copy to ram-drive a script file and key from a hidden partition of the working server and runs the script. After that well off. The script connects the hidden partition (the key file it has), and runs thence kernel using kexec. Ie actually run the new system. All. Finite, as they say, la comedy and a full comprehensive profit. For those who want a hidden server can be equipped with disable function to obtain a certain message from the gateway SMS-email (actually a function off for getting SMS). And, in front of his disabling it must enter into a working server via SSH and switch it off. Ie added function remote shutdown both servers. What we have as a result? If you delete a working server, then it is nothing but a bare system, which is after the download is drawn by some mysterious URL. Nothing else to do such a system would not be withdrawn, as it will change the IP and the hidden server will ignore all requests. Moreover, the mere existence of a hidden server will nedokazuem because it responds to requests from one particular IP. In any way is impossible to prove the existence of any useful data on the production server - see only the unpartitioned space, filled with random data. No keys are not stored on the production server. In any way is impossible to prove that the use of encryption, as each time they are copied from another computer (with a hidden server) and are located on the ram-disk. The basic system working server entirely, together with the kernel logs and situated on an encrypted partition, and the fact of its existence nedokazuem. The owner of the server (his friends, relatives, colleagues) may at any time to disable hidden server making it impossible to access data on the production server, and the very existence of any data unprovable. If there is control by SMS, in case of mask-show, the owner can remotely disable both the server and after turning on the production server is not nothing but a bare system. The method is completely and 100% resistant even to the most severe termorektalnomu cryptanalysis. For if the server is physically formatted hidden or removed from it a key file, then if they wanted the owner nothing anyone could show. Method is resistant to failure - if the secret server died unexpectedly, the owner may be buried in a secret place under the cherished linden flash drive with the files needed to start working server. And with these files (the script and the key), nobody forbids to enter an open system working server via SSH and run an encrypted system. True, the resistance to termorektalnomu cryptanalysis in this case fall considerably. Among the shortcomings we have: in case of unavailability of a hidden server, production server can not start, but normal server reboots often and if there is an Internet, a working server probably useless; nobody forbids to have two Anonymous server (duplication). P.S. Because here send questions to e-mail, then write a few comments: 1) Simply use the hidden server for data storage is not interesting because He is far and ping to it is great, and the channel is narrow. 2) From the hidden server nothing is given - the hidden server goes over SSH on a production server. If anything to give, then it becomes clear scheme of work and there is a lot of questions, plus there is a reason to put pressure on the owner because He "lets". 3) The reference to a hidden server, of course, on HTTPS, so it was impossible to replace IP. Although, in fact it is not necessary - we will still accept a single IP. Plus beating a path to have the keys of SSH. 4) It is not a panacea and does not protect from everything. If the state wants someone to plant, it is planted. And no servers, it is not necessary. And if the intelligence of someone will take, they get their. This is strictly protected against arbitrariness and chaos - when, because of competition or young pranksters unsuspecting owner of the server can receive real time. 5) This refers primarily to the web-hosting, when there is no physical access to the server. For enterprise servers, probably also something similar to use, but it is not clear why:) 6) In the comments all become attached to this unfortunate soldering iron, a limpet - a bum. Of soldering anything to help. Even the absence of a server. P.P.S. Getting tired to argue with strange people from a parallel universe, add this one example. | |
|
| |
| Total comments: 0 | |