# :. How to hide an encryption key in the hardware?

## dmitrio

Hi!

Suppose we have an encrypted FS.

What an option do we have to hide a key inside a hardware?

or maybe use as a paraphrase some hardware setting (like serial number or something else)

I mean that particular system should loadup only in combination of the same hardware.

(minimal check would be the system board and the hard drive)

At boot time it should not ask for any passwords - just check hardware config and if it OK then boot up.

And wouldn't bootup if you'll plug  the HDD in to the other computer.

Any ideas?

----------

## kashani

I've heard rumors of people who have attached some hardware (RSA??) serial device to the serial port. The machine would query that before doing various tasks. The problem then becomes, if they can steal the hard drive why not a serial device too.  :Smile: 

kashani

----------

## dmitrio

 *kashani wrote:*   

> I've heard rumors of people who have attached some hardware (RSA??) serial device to the serial port. The machine would query that before doing various tasks. The problem then becomes, if they can steal the hard drive why not a serial device too. 

 

yes, i agree with it, i don't wont to use any floppy, usb keys, hardlock keys and so on

samething like put together serial number from HDD and a chip on systemboard or something like it..

any idea would be really helpfull!

----------

## puggy

I think you'd definitley be sacrificing security to do this.

If someone stole your whole computer for instance...

Also, serial numbers etc can be faked...

Puggy

----------

## dmitrio

 *puggy wrote:*   

> I think you'd definitley be sacrificing security to do this.
> 
> If someone stole your whole computer for instance...
> 
> Also, serial numbers etc can be faked...
> ...

 

yes, i know this,

but i would like to set things up, so it will work only in particular hardware configuration, not anybody else, 

even if it mirrored to another HDD it wouldn't work.

----------

## xming

```
root # hdparm -i /dev/hda

/dev/hda:

 Model=HITACHI_DK23DA-30, FwRev=00J1A0G2, SerialNo=113SGP

 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs }

 RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4

 BuffType=DualPortCache, BuffSize=2048kB, MaxMultSect=16, MultSect=16

 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=58605120

 IORDY=yes, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120}

 PIO modes:  pio0 pio1 pio2 pio3 pio4

 DMA modes:  mdma0 mdma1 mdma2

 UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5

 AdvancedPM=yes: mode=0x80 (128) WriteCache=enabled

 Drive conforms to: ATA/ATAPI-5 T13 1321D revision 3:  2 3 4 5

```

----------

## dmitrio

 *xming wrote:*   

> 
> 
> ```
> root # hdparm -i /dev/hda
> 
> ...

 

Thanx xming, it's a one piece of the mosaic  :Smile: 

----------

## xming

ifconfig eth0, then you have the mac address (I know macs are changeable but in combination with serial id from the hd, it should be reaaly uniq)

oh and cat /proc/bus/usb/devices might give you more data

xming

----------

## dmitrio

 *xming wrote:*   

> ifconfig eth0, then you have the mac address (I know macs are changeable but in combination with serial id from the hd, it should be reaaly uniq)
> 
> oh and cat /proc/bus/usb/devices might give you more data
> 
> 

 

MAC address should be unique, nice tip! tnx   :Very Happy: 

i have nothing on usb - so it wouldn't work

is here any possibilities to get something like CPU serial number

or maybe info from chips on system board?

----------

## Diggen

Whats about

#cat /proc/pci

----------

## axxackall

Whereever you hide the key, if it on the computer - I steal and I have and I use it without any problem.

The only thing you can steal from me is myself, specifically the combination of my knowledge (not spoken yet!) and my (alive!) body.

Basically, I advise to use biometric devices, which can read the image of you (retina or fingerprint), ask you the password, encode the image with your password into your bio-pattern and compare it to the pattern from the DB (must be encrypted agian with your bio-pattern).

Now if I steal your PC I cannot use it without your bio-pattern. If I steal the password - I don't have you body for image. If I kill you - I don't know the password and, besides, good biometrics devices recognize the dead body by personal (usually invisible) micro-motions of your eye retina.

Expensive? Perhaps. But how much is your risk to loose your data from HD?

----------

## axxackall

BTW, it might be cheaper to buy an account in remote network storage and mount that space through a password-encrypted secure-tunnel.

----------

## dmitrio

Hi

question that the computer is in russia - so all the expensive stuff wouldn't work

and it should work in autopilot mode,

but if somebody will try to get hands on will get nothing (without root password) (case of masks-show)

i know a little bit about how is recovery of HDD going on - so it will be pretty reliable to bind hdd encryption to hardware enviroment.

----------

## axxackall

 *dmitrio wrote:*   

> Hi
> 
> question that the computer is in russia - so all the expensive stuff wouldn't work
> 
> and it should work in autopilot mode,
> ...

 

1. You're right, in Russia all hardware is expensive, but the labour cost is almost free. So, encrypt the disk three times and give each password to 3 different people. Make sure that those men are available to type their passwords when the system reboots. I guess, those men (pick very cheap ones) must be included as a part of the "auto-pilot" mode (sort of biometrics, but using someone else's data)  :Smile: 

2. The lack of the root password is not a problem. I can "repair" the system with "lost" root password having an access to unencrypted boot sector, if the sector reads the key from the repeatable hardware source in order open the root (and/or other) partitions. Russian goverment special forces have enough talents doing it on a daily basis.

3. For those of us who doesn't know what is maski-show, it's an unofficial name for the official procedure of russian federal tax (and not only tax) police forces  to search for financial (and not only financial) criminal evidences. They use to wear their black-color face-masks, when they come having their search warrant (and their weapon). The guy is trying to protect details of someone's "activity" from the russian goverment. Don't be shocked, in Russia it's a normal life.

----------

## dmitrio

 *axxackall wrote:*   

> 
> 
> 1. You're right, in Russia all hardware is expensive, but the labour cost is almost free. So, encrypt the disk three times and give each password to 3 different people. Make sure that those men are available to type their passwords when the system reboots. I guess, those men (pick very cheap ones) must be included as a part of the "auto-pilot" mode (sort of biometrics, but using someone else's data) 
> 
> 

 

I would like to exclude any human factor since it's a weakes link (IMO)

 *axxackall wrote:*   

> 
> 
> 2. The lack of the root password is not a problem. I can "repair" the system with "lost" root password having an access to unencrypted boot sector, if the sector reads the key from the repeatable hardware source in order open the root (and/or other) partitions. Russian goverment special forces have enough talents doing it on a daily basis.
> 
> 

 

this solution looks pretty elegant: root encryption to prevent it  :Wink: 

 *axxackall wrote:*   

> 
> 
> 3. For those of us who doesn't know what is maski-show, it's an unofficial name for the official procedure of russian federal tax (and not only tax) police forces  to search for financial (and not only financial) criminal evidences. They use to wear their black-color face-masks, when they come having their search warrant (and their weapon). The guy is trying to protect details of someone's "activity" from the russian goverment. Don't be shocked, in Russia it's a normal life.

 

BTW thanks for the explanation - i didn't think, that some ppl may have no idea what i'm talking about  :Embarassed: 

I would like to introduce solution to discuss a possible security holes in it /or maybe other possibilites/ and how to fix it.

Any opinion is highly appreciated.

Upon bootup initrd gathering information from different pieces of hardware

then it will put together a some of that information 

and use it as a paraphrase for unencryption of the encrypted root partition 

in emergency case, we have to boot up with another initrd (or other source) and put the paraphrase manually. 

(since we know which parts of hardware ID we used for paraphrase

so it wouldn't be any problem to bootup with correct password)

----------

## axxackall

 *dmitrio wrote:*   

> I would like to exclude any human factor since it's a weakes link (IMO)
> 
> ...[snip]...
> 
> this solution looks pretty elegant: root encryption to prevent it 
> ...

 

Whatever you do - you boot-sector is unencrypted (unless you order a special PC with BIOS, which can read encrypted boot-sector, decrypt it and then execute it - but make sure that I don't have a copy of that BIOS). So, I can boot from alternative boot device (floppy, CDROM, if not presented - I open PC and install the missed hardware by my hands), then read your boot sector (it's unecrypted, remember?), trace it (it's not big, so it won't take long) and see where it gets the key and what algoritm is used to decrypt the rest of the system. It's not a big deal for me as the boot sector gathers your hardware parameters, which are repeatable or predictable or calculable information. So, I'll break such  security in no time, especially if big money behind  :Smile: 

There is no way to protect your system without gathering the source of paraphrase from unrepeatable sources. Any randomization device won't work as it's also random for decryptor (in other words - it doesn't give a real password), but it's not uniq among similar devices (in other words - no way to recognise the identifying style of the device). 

The only way to gather such information is to get it from external sources, which must give in unrepeatable way (otherwise I can get it too as yesterday I've opened your PC and installed a small bug in your bootsector, which watch (spy) the paraphrase (I can wipe out the change by correcting the CRC algorithm in the boot sector).

So, the real solution for you is using special decryption device, which the person wears with him/her, connects at the moment of authentication, the boot sector distributes the task of decrption to that device, the root is decrypted, the device is disconnected. Then I am "a weak link" in hands of Russian Govt and your boss may sleep without problems. 

How about the guy with that device? It's your boss. That's right, he is the only guy whom your boss trusts and he is the guy who boots the system, while you make sure that uptime is enough to tolerate long trips of your boss.

----------

## dmitrio

after a little search in different docs, including our thread, i'm turn around and looking for information about external devices, and you saying that it can be traceable.

looks like i have couple choses 

1. get a unique BIOS with encription support

2. use a authentification key with person

some of the computers are locked - so nobody have access to it, accept admin, so person with ID key wouldn't work

is it any other ways to secure the system, using external devices, without human intervention?

----------

## panserg

dmitrio,

Don't forget to check NIST about security, National Institute of Standartization. Check there "Drafts" and "Special Publications", especially "800 series". It's a set of classic articles about IT security, with very well done analytical and classificational materials. IT security practice in US goverment has been build based on it. I am sure that Russian govt is using very similar guidelines. Also, the goverment may use those guidelines to prepare the practivce of breaking enimy's IT security. Thus, knowing such guidelines may help you to build the system better protected from your goverment.

Another source of information would be The National Security Agency, but they don't have much of articles published. BTW, they are the guys who sponsor SE-Linux.

One more article explains what mean "C2 Trusted" security level and what is the problem of "boot floppy".

----------

