TPM 替代方案可在系统内安全存储加密密钥

发布于 2024-10-30 03:09:37 字数 502 浏览 5 评论 0原文

我需要部署一个包含非常敏感数据的服务器。 更准确地说,这台(Linux)服务器将部署在一辆装满天线的货车上,在世界各地旋转,即使在不受信任的货车操作员最终将直接访问硬盘的情况下,我也需要防止数据泄漏。

实际的(以前的)配置基于加密的 FS,并且在服务器驻留在某个服务器机房的某个地方之前可以正常工作,即使这会迫使受信任的人员在重新启动时输入密钥。

但此解决方案不适用于服务器将经常重新启动并且不会被授权访问数据的人跟踪的新场景。 我们的一些新服务器配备了TPM模块,所以问题就这样解决了,但是大多数提供的服务器不包含此安全功能。

如何加密存储这些敏感数据,而不需要用户在启动时干预进行解密,并且无需在硬盘驱动器上保存明文密码?

我们正在考虑一些基于混淆代码机器检查的密钥生成器,就像某些许可证验证软件的工作方式一样,但我不知道从哪里开始。

I need to deploy a server containing very sensitive data.
More precisely, this (linux) server will be deployed on a van full of antennas spinning arround the world, and i need to prevent data leaks even in case of an untrusted van operator that will eventually gain directly access to the hard drive.

The actual (previous) configuration is based on a encrypted FS, and works fine until the server reside on some server room somewhere, even if this force the presence of someone trusted to enter the key on reboot.

But this solution is not applicable on this new scenario where the server will be rebooted often and will not be followed by someone authorized to access the data.
Some of our new servers are equipped with TPM module, so the problem is solved the case, but most of servers provided do not include this security feature.

How can i store these sensitive data encrypted, without need of user intervention for decription at boot time and without saving the plain password on the hard drive?

We are thinking about some obfuscated-code-machine-checking-based key generator, in the same way some license validation software works, but I don't know from where to start.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

祁梦 2024-11-06 03:09:37

您需要一个 http://en.wikipedia.org/wiki/Hardware_Security_Module 服务器,就像银行中使用的那样用于存储私人信用卡付款信息(如密码)。它们具有物理安全性,因此如果您未经授权打开服务器的外壳,则会删除密钥。

TPM 并不是问题的真正解决方案,因为服务器可能被拆卸和窃取。如果启动时不需要密码,它将使用私人信息,在内部解密。有一些硬件嗅探解决方案可以从工作服务器获取此信息,例如 http://www .asset-intertech.com/products_interposers.htm(CPU 的 jtag 调试器)或此 http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900 (冻结的dimm内存在断电后保存数据)。

我不是硬件安全领域的专家,所以我只能推荐几个网页链接,例如 http: //en.wikipedia.org/wiki/Tamper_resistance & http://en.wikipedia.org/wiki/FIPS_140-2(级别 3 和级别 3) 4)

You need a http://en.wikipedia.org/wiki/Hardware_Security_Module server like used in banks for storing private credit card paymament information (like pins). They have a physical security, so if you open the case of server without authorization, it will delete secret key.

TPM is not a real solution of the problem, as the server can be demounted and stolen. If it doesn't require a password on boot, it will use private information, decrypting it internally. There are some hardware-sniffing solutions to get this information from the working server, like this http://www.asset-intertech.com/products_interposers.htm (jtag debugger for CPU) or this http://www.zdnet.com/blog/security/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/900 (frozed dimm memory save the data after poweroff).

I'm not an expert in field of hardware security, so I only can recommend several web links, such as http://en.wikipedia.org/wiki/Tamper_resistance & http://en.wikipedia.org/wiki/FIPS_140-2 (levels 3&4)

悲喜皆因你 2024-11-06 03:09:37

迟到的答案,但对于遇到这个问题的人来说可能仍然有帮助。

您可以使用 TPM 来保护密钥,而无需在每次启动时输入密码。您需要使用 TPM 密封功能。

此方法的一个示例是 Windows Bitlocker 使用TPM 保护全盘加密密钥。

额外的好处是,您不仅可以安全地存储密钥并且不需要输入密码,而且仅当您指定的特定软件加载到计算机上时才允许使用它。

Late answer, but might still be helpful for people stumbling on this question.

You can use the TPM to protect the key and not need to enter a password at each boot. You need to use the TPM Sealing functionality.

An example of this approach is the way Windows Bitlocker uses the TPM to protect the full disk encryption key.

The added benefit is that not only you store the key securely and don't need to enter your password, you also allow it to be used only if the specific software that you designate is loaded on the machine.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文