It is possible to mount NBD root filesystem by anybody and read files from there. The only solution I have discovered is to encrypt NBD device usin dm-crypt and LUKS. LTSP project already contains implementation of encrypted swap;
Dear LTSP developers,
I am wondering if it is possible to setup encrypted NBD root device
which I want to use in some other Open Source project. I have just
found, that LTSP is using encrypted NBD, but only for swap device. Is
there any technical reason, that it is not possible to do so for root
device ?
If the server is to encrypt something, and only specific (=LTSP) clients
to be able to decrypt it, then they need some special information from
the server, e.g. the server's private encryption key or something.
How are you planning to deploy that to netbooted clients?
They need local storage for that... alternatively, the root file system
encryption can be based on the client's hardware specific information,
that is transferred securely to the server and used as a seed to the
server's private encryption key (multi-key encryption).
For the swap partition it's not the same, it's the client itself that
formats + encrypts the swap partition, not the server.
If you're willing to go to each client and enter a username/password,
you might as well use a USB stick with a kernel/initrd and the
encryption key with it, and boot with that
(and of course remove it 5 seconds later, when the kernel/initrd are loaded).
To avoid that, read about multi-key encryption and also try to find a
way like dmidecode with which you can get a static seed from each
client, readable only by root.
It is possible to mount NBD root filesystem by anybody and read files from there. The only solution I have discovered is to encrypt NBD device usin dm-crypt and LUKS. LTSP project already contains implementation of encrypted swap;
See:
Responses from LTSP list:
Dear LTSP developers, I am wondering if it is possible to setup encrypted NBD root device which I want to use in some other Open Source project. I have just found, that LTSP is using encrypted NBD, but only for swap device. Is there any technical reason, that it is not possible to do so for root device ?
If the server is to encrypt something, and only specific (=LTSP) clients to be able to decrypt it, then they need some special information from the server, e.g. the server's private encryption key or something.
How are you planning to deploy that to netbooted clients? They need local storage for that... alternatively, the root file system encryption can be based on the client's hardware specific information, that is transferred securely to the server and used as a seed to the server's private encryption key (multi-key encryption).
For the swap partition it's not the same, it's the client itself that formats + encrypts the swap partition, not the server.
If you're willing to go to each client and enter a username/password, you might as well use a USB stick with a kernel/initrd and the encryption key with it, and boot with that (and of course remove it 5 seconds later, when the kernel/initrd are loaded).
To avoid that, read about multi-key encryption and also try to find a way like dmidecode with which you can get a static seed from each client, readable only by root.
Alkis