Security is highered if only one machine can do the decryption.
How would you suggest to allow only one computer to be able to decrypt an LUKS partition?
I would simply need to get a set of variable specific to my machine and add them in the passphrase but I don't which one to choose.
Which variables would you choose that would act as a "machine ID"?
Security is highered if only one machine can do the decryption.
Availability can take a serious hit if that machine goes bust, though.
How would you suggest to allow only one computer to be able to decrypt an LUKS partition? I would simply need to get a set of variable specific to my machine and add them in the passphrase [...]
Well, you could base it on some hardware serial numbers (sudo dmidecode
to see some) but this is less useful than you think. If the bad guys have physical access to the computer, they can make it show them the hardware serial numbers and defeat the scheme. If the bad guys don't have physical access to the computer, you can just use a key file stored on a non-encrypted partition of an internal disk, or on a thumb drive, or on an SD card, or on an optical disk, etc.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments