On Fri, 5 Mar 2004, Silvana Di Martino wrote:
> Alle 15:11, venerdì 5 marzo 2004, Alex Page ha scritto:
> > If you're trying to protect against somebody taking down your server
> > room door with a sledgehammer, lifting your server out of the rack,
> > driving it away and booting off an alternative medium to avoid needing
> > to know your root password, then a loopback encrypted partition (or data
> > encrypted in GPG where the decryption key is not stored on the database
> > server) is a sensible precaution.
>
> Unfortunately, the new Italian law forces us to take seriously into account
> this catastrophic scenario and another one that is almost as worring: an
> unfaithful SysAdmin that copies your data and sells them to KGB. So, database
> encryption (and not disk encryption) is the _only_ answer.
But since your sysadmin (if not trusted) could go behind your back and
replace the database, any applications that are using the data, etc, I'm
not sure that's even sufficient.
> > Of course, this loopback encryption with a boot-time passphrase may fail
> > if they take the rackmount UPS as *well*, and keep the machine powered
> > at all times ;)
>
> The server should listen to the (encrypted/digitally signed) "Heartbeat" of a
> password server through the net to prevent this kind of attack.
That'll help prevent this sort of attack (although doesn't entirely unless
you can guarantee that the password server cannot be taken at the same
time) but also gives you a remote point of failure.