Boot from an encrypted FS with keys on FDD

[Simba7]

Yes, I know it's nuts using a Floppy Disk to store your crypto keys.. but here it goes.

I have thousands of new 3 1/2" HD floppies just laying around. I was thinking one day that a single floppy has 2880 512-byte sectors. Well, if we convert that to bits, that's roughly 2880 4096-bit keys. If we add triple copies of each key on disk (redundancy), that's roughly 960 keys.

Is there a way to have a small unencrypted bootloader load the key file on the disk and then mount the filesystem using the loaded key?

 

[SocialHaze]

It's possible.

An ideal implementation is, in fact, to boot (MBR, bootcode and kernel) from a RO media, such as an optical disc or USB key with a write protection switch, like the Kanguru Flashblu II.

The keys can then be read from any kernel-accessible device.

I believe there's a HOWTO on this matter, you may also wish to read geli(8).

It makes it rather difficult to update but if you're running something like a gateway or firewall it might be worthwhile to write images from your secure station at every ruleset change if you switch runlevels.

For a workstation, you then have to guard the boot image with your life. Considering that every station is different and you might want to be implementing a secure boot process on several machines you might want to think about a live FS on USB from which to checksum the main components in a distro before any reboot.

I believe it's even possible to use freebsd-update IDS for that very purpose and it could give you some insight on what kind of checks you should be doing.

Running a secure facility is no small task, particularly in this day and age. Good lock.