Remote server with 100% encryption and mask show protection
To write this masterpiece I was inspired by the article "Paranoid Dream or Once Again about Encryption . " Very wonderful and useful with one exception - if “mask shows” come, they will take away the server along with all the flash drives and keys. Hence the question - how to make sure that there are no traces of encryption, keys, etc. on the server at all?
The answer is banal - do not store them on the server. And do not store next to the server. And generally somewhere in the area of ​​reach of a potential attacker.
The idea of ​​the proposed solution is simple:
- On the server that needs to be protected (let's call it “working”), install two systems. The first one is the minimum one, on a normal NOT encrypted partition and consisting only of the kernel, the console and network interfaces and not using a swap. The second is for the encrypted partition using the FeNUMe method. The encrypted section must be fully encrypted and not contain any headers. From the point of view of an outside observer, this should be an unformatted disk area filled with random data.
- There must be a second (let's call it “hidden”) server geographically located in another country and designed for another person. The server should not respond to ping and should accept requests from only one IP - IP of the working server. And the rest of the connections should be cut off at the firewall level - for the rest of the world except the working server, the hidden server is a “black hole”.
- Loading of the working server begins with the launch of the minimum (open) unencrypted system. During the download, the network interfaces, SSH and ram disk are raised.
- After loading an open system, it knocks on the second server via HTTP / HTTPS.
- In response to the knockout of the working server, the hidden server enters the working server console via SSH, copies a script and key file from the hidden section of the working server to the ram disk and runs the script. After that, it turns off safely.
- The script connects the hidden partition (it has the key file), and starts the kernel from there using kexec. Those. actually running the new system.
- Everything. Finita, as they say, la comedy and full comprehensive profit.
- For those who wish, the hidden server can be equipped with a shutdown function to receive a message from the SMS-email gateway (actually a shutdown function to receive SMS). Moreover, before his own shutdown, he must log into the working server via SSH and turn it off. Those. The function of remote shutdown of both servers is added.
What do we have as a result?
If you remove a working server, then there is nothing on it, except for a bare system, which, after downloading, addresses some mysterious URL. Such a withdrawn system will not do anything more, since its IP will change and the hidden server will ignore all calls. Moreover, the mere existence of a hidden server will be unprovable, because It responds to requests from one specific IP.
In no way is it possible to prove the existence of any useful data on the production server — only an unplaced area filled with random data is visible.
No keys are stored on the production server.
There is no way to prove the fact of using encryption tools, since each time they are copied from another computer (from a hidden server) and are located on a ramdisk.
The main system of the working server entirely, together with the kernel and logs is on the encrypted partition and the fact of its existence is unprovable.
The server owner (his friends, relatives, colleagues) can turn off the hidden server at any time, making it impossible to access data on the production server, and the very fact that any data is unprovable.
If there is an SMS control, then in the case of a mask show, the owner can remotely turn off both servers and after switching on, there will be nothing on the production server except a bare system.
The method is completely and 100% resistant to even the harshest thermorectal cryptanalysis. For, if you physically format the hidden server or delete the key file from it, then with all the desire the owner will not be able to show anything to anyone.
The method is resistant to failures - if the secret server died unexpectedly, then the owner can have a flash drive buried in a secret place under the cherished lime tree with the files necessary to start the working server. And having these files (script and key), no one forbids to log into the open system of the working server via SSH and run the encrypted system. True, the resistance to thermo-rectal cryptanalysis in this case decreases markedly.
Among the shortcomings we have:
- in case of unavailability of the hidden server, the working server cannot start, but normal servers restart rarely and if there is no Internet, then the working server is most likely useless;
- nobody forbids to have two hidden servers (duplication).
PS
Because here send questions to the mail, then I will write a few comments:
1) Just using a hidden server for storing data is not interesting, because he is far and ping him is great, and the channel is narrow.
2) Nothing is given from the hidden server - the hidden server comes over SSH to the production server. If you give something away, then the scheme of work becomes clear and a lot of questions arise, plus, there is a reason to put pressure on the owner because he "obstructs."
3) Access to a hidden server, of course, via HTTPS, so that IP cannot be changed. Although, in fact, this is not necessary - we still accept one single IP. Plus, knocking need to have SSH keys.
4) This is not a panacea and is not a defense against anything and everything. If the state wants to plant someone, it will plant. And no servers are needed for this. And if the security services for someone will take, they will get their. This protection is purely against arbitrariness and chaos - when, due to competitors or young jokers, the unsuspecting server owner can get a real deadline.
5) This applies primarily to the web-hosting, when there is no physical access to the server. For corporate servers, probably also something similar to use, but it is not clear why :)
6) In the Comments, everyone became attached to this unfortunate soldering iron, like a bath sheet - to the ass. From a soldering iron, nothing will help. Even the absence of a server.
')
Pps
Tired of arguing with strange people from a parallel universe, I add this example .
The answer is banal - do not store them on the server. And do not store next to the server. And generally somewhere in the area of ​​reach of a potential attacker.
The idea of ​​the proposed solution is simple:
- On the server that needs to be protected (let's call it “working”), install two systems. The first one is the minimum one, on a normal NOT encrypted partition and consisting only of the kernel, the console and network interfaces and not using a swap. The second is for the encrypted partition using the FeNUMe method. The encrypted section must be fully encrypted and not contain any headers. From the point of view of an outside observer, this should be an unformatted disk area filled with random data.
- There must be a second (let's call it “hidden”) server geographically located in another country and designed for another person. The server should not respond to ping and should accept requests from only one IP - IP of the working server. And the rest of the connections should be cut off at the firewall level - for the rest of the world except the working server, the hidden server is a “black hole”.
- Loading of the working server begins with the launch of the minimum (open) unencrypted system. During the download, the network interfaces, SSH and ram disk are raised.
- After loading an open system, it knocks on the second server via HTTP / HTTPS.
- In response to the knockout of the working server, the hidden server enters the working server console via SSH, copies a script and key file from the hidden section of the working server to the ram disk and runs the script. After that, it turns off safely.
- The script connects the hidden partition (it has the key file), and starts the kernel from there using kexec. Those. actually running the new system.
- Everything. Finita, as they say, la comedy and full comprehensive profit.
- For those who wish, the hidden server can be equipped with a shutdown function to receive a message from the SMS-email gateway (actually a shutdown function to receive SMS). Moreover, before his own shutdown, he must log into the working server via SSH and turn it off. Those. The function of remote shutdown of both servers is added.
What do we have as a result?
If you remove a working server, then there is nothing on it, except for a bare system, which, after downloading, addresses some mysterious URL. Such a withdrawn system will not do anything more, since its IP will change and the hidden server will ignore all calls. Moreover, the mere existence of a hidden server will be unprovable, because It responds to requests from one specific IP.
In no way is it possible to prove the existence of any useful data on the production server — only an unplaced area filled with random data is visible.
No keys are stored on the production server.
There is no way to prove the fact of using encryption tools, since each time they are copied from another computer (from a hidden server) and are located on a ramdisk.
The main system of the working server entirely, together with the kernel and logs is on the encrypted partition and the fact of its existence is unprovable.
The server owner (his friends, relatives, colleagues) can turn off the hidden server at any time, making it impossible to access data on the production server, and the very fact that any data is unprovable.
If there is an SMS control, then in the case of a mask show, the owner can remotely turn off both servers and after switching on, there will be nothing on the production server except a bare system.
The method is completely and 100% resistant to even the harshest thermorectal cryptanalysis. For, if you physically format the hidden server or delete the key file from it, then with all the desire the owner will not be able to show anything to anyone.
The method is resistant to failures - if the secret server died unexpectedly, then the owner can have a flash drive buried in a secret place under the cherished lime tree with the files necessary to start the working server. And having these files (script and key), no one forbids to log into the open system of the working server via SSH and run the encrypted system. True, the resistance to thermo-rectal cryptanalysis in this case decreases markedly.
Among the shortcomings we have:
- in case of unavailability of the hidden server, the working server cannot start, but normal servers restart rarely and if there is no Internet, then the working server is most likely useless;
- nobody forbids to have two hidden servers (duplication).
PS
Because here send questions to the mail, then I will write a few comments:
1) Just using a hidden server for storing data is not interesting, because he is far and ping him is great, and the channel is narrow.
2) Nothing is given from the hidden server - the hidden server comes over SSH to the production server. If you give something away, then the scheme of work becomes clear and a lot of questions arise, plus, there is a reason to put pressure on the owner because he "obstructs."
3) Access to a hidden server, of course, via HTTPS, so that IP cannot be changed. Although, in fact, this is not necessary - we still accept one single IP. Plus, knocking need to have SSH keys.
4) This is not a panacea and is not a defense against anything and everything. If the state wants to plant someone, it will plant. And no servers are needed for this. And if the security services for someone will take, they will get their. This protection is purely against arbitrariness and chaos - when, due to competitors or young jokers, the unsuspecting server owner can get a real deadline.
5) This applies primarily to the web-hosting, when there is no physical access to the server. For corporate servers, probably also something similar to use, but it is not clear why :)
6) In the Comments, everyone became attached to this unfortunate soldering iron, like a bath sheet - to the ass. From a soldering iron, nothing will help. Even the absence of a server.
')
Pps
Tired of arguing with strange people from a parallel universe, I add this example .
Source: https://habr.com/ru/post/92022/
All Articles