Remotely unlocking an encrypted hard disk

Posted by janandonly 4 hours ago

Remotely unlocking an encrypted hard disk(jyn.dev)

40 points | 15 commentspage 2

ycombinatrix 2 hours ago|

FYI your decryption key can be MITMed during this process by anyone with physical access to the system, which defeats the purpose of encrypting the disk in the first place.

Just use dm-verity for remote servers.

FabCH 34 minutes ago||

Police show up and arrest you. Could be with reason, could be by accident. Maybe you did something wrong, maybe you didn’t. They also physically size your servers, and in doing so they unplug the system.

If you have disk encryption, your data now requires the police to force you to produce a password, which may or may not be within their powers, depending on the jurisdiction.

It’s strictly better to have full disk encryption and remote unlocking than no disk encryption at all, because it prevents such „system was switched off by accident“ attacks.

embedding-shape 1 hour ago|||

If only everyone shared the same use case :)

Maybe I have a server at home, with a locked cabinet and vibration sensors, that houses a server or two and they all use full disk encryption, but I still want to be able to reboot them without having to connect a physical keyboard to them. So no one has physical access, not even me, but I still want to be able to reboot them.

Or countless of other scenarios where it could be useful to be able to remotely unlock FDE.

jiveturkey 1 hour ago||

That's not a counter-argument. You are protecting the physical access, and your threat model doesn't include someone willing to bypass your locks and sensors. (or it does and you just didn't go into those details.)

The argument was that physical access gives up the FDE key.

izacus 2 hours ago||

Security isn't a binary boolean though.

kotaKat 2 hours ago||

I'm vaguely reminded of some of the third party disk encryption/preboot management utilities that exist in the Windows space that leverage similar technology. Authentication is done against an online source, and only then is the key sent back to the local machine to unlock the disk. The Bitlocker key is kept nowhere near the local TPM.

I've only seen it on some paranoid-level devices in industry (typically devices handling biometric identity verification services).

IIRC this one is a Linux image that boots up, unlocks the normal Bitlocker partition via whatever mechanism you need, then hands control back to the Windows bootloader to continue onwards.

https://winmagic.com/en/products/full-disk-encryption-for-wi...

readytion 2 hours ago|

[flagged]