Linux – TPM alternative to securely storing encrypted keys within the system

TPM alternative to securely storing encrypted keys within the system… here is a solution to the problem.

TPM alternative to securely storing encrypted keys within the system

I need to deploy a server with very sensitive data.
More precisely, this (Linux) server will be deployed in a van full of antennas, spinning around the world, and I need to prevent data breaches, even if the untrusted wagon operator will end up accessing the hard drive directly.

The actual (former) configuration is based on encrypted FS and works fine until the server resides somewhere in a server room, even though this forces a trusted person to be present to enter the key on reboot.

But this solution is not suitable for new scenarios where the server will restart frequently and will not be tracked by someone authorized to access the data.
Some of our new servers are equipped with a TPM module, so the problem is solved, but most of the servers offered do not include this security feature.

How can I store this sensitive data encrypted without requiring decryption intervention by the user at boot time and without saving plaintext passwords on the hard drive?

We’re thinking about some key generators based on machine checks of obfuscated code, just like some license validation software works, but I don’t know where to start.

Solution

You need a http://en.wikipedia.org/wiki/Hardware_Security_Module similar to a server in a bank that stores private credit card payment information, such as passwords. They have physical security, so if you open the server shell without authorization, it removes the key.

TPM is not the real solution to the problem, as servers can be dismantled and stolen. If it doesn’t need a password at startup, it will use private information to decrypt it internally. There are hardware sniffing solutions that can get this information from a working server, such as http://www.asset-intertech.com/products_interposers.htm (jtag debugger for CPU) or this http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900 (Frozen Dimm Memory saves data after power loss).

I’m not an expert in hardware security, so I can only recommend a few URLs such as http://en.wikipedia.org/wiki/Tamper_resistance & http://en.wikipedia.org/wiki/FIPS_140-2 (Level 3 and Level 4).

Related Problems and Solutions

  1. How to use the glDrawVertex() function in ANSI C
  2. How to execute multiple commands for each file I find
  3. Link order issues when dynamic link libraries depend on each other
  4. Do I need GLIBCXX_3.4.9 if I already have GLIBCXX_4.1.2 installed?
  5. git push node js fails on Azure linux and kudu wants to run dotnet commands
  6. Which API provides wireless network notifications in Linux?
  7. What is the latest state of development in Linux virtualization technology?
  8. Linux C++ threads in classes