On 09/08/2019 12:32 PM, Carlos E. R. wrote:
A system with an encrypted disk, if it first prompted for a local password, then tried to download a key from a pre-selected location, would be great! I have no idea if it would be possible to do this kind of thing without BIOS modifications. What would be required, and would there be risks of leaking unencrypted bits? Not bios. initrd. Same as it is possible to download the boot image from a remote machine using tftp.
Good point, but it would have to be done with overall security in mind. After all, you went to the trouble of encrypting the disk, you don't want to waste the effort by compromising the decryption key. Obviously, something with PKI for authentication on both ends, with encrypted content would be needed. SCP with pre-placed public keys would be perfect. I wonder how much larger that would make initrd? BTW, is it time for this to go to a more appropriate list? Your idea really has merit, Carlos, and would solve a number of difficult problems that Linux faces in the Information Assurance (IA) universe that large corporations and governments face. Has someone already solved this problem: remote reboot of a whole disk encrypted computer, while preserving authenticity and security? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org