Creating an encrypted partition to store private keys [closed]
Clash Royale CLAN TAG#URR8PPP
I am using a BeagleBone Black board running Debian.
My intention is to create a separate encrypted partition to store private keys in the internal emmc. The keys are used for SSL communication. The main intention of course is to keep the keys secure so nobody can read them. I know that using a TPM or HSM is the right solution this , but I want to see if I can do something without one and just store the keys in normal flash.
The reason I need a separate partition is that sometimes I will want to completely upgrade the Linux OS on the device by over-writing the current image on one partition. I will not want to affect the private keys stored this way, and the new OS should be able to access the keys in the same way as the last one from the separate partition. Is this a common way to go about it?
Would dm-crypt work for this? I don't understand however how this works on the low-level. Will the new Linux OS in which I install be able to decrypt my private partition in the same way the previous Linux did? What is to stop anybody from decrypting and viewing my private keys if they hacked into the device?
debian partition encryption dm-crypt beagleboneblack
asked Dec 10 at 19:48
Engineer999
1143
closed as too broad by G-Man, RalfFriedl, Thomas, schily, 0xC0000022L Dec 12 at 14:16
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
I am using a BeagleBone Black board running Debian.
My intention is to create a separate encrypted partition to store private keys in the internal emmc. The keys are used for SSL communication. The main intention of course is to keep the keys secure so nobody can read them. I know that using a TPM or HSM is the right solution this , but I want to see if I can do something without one and just store the keys in normal flash.
The reason I need a separate partition is that sometimes I will want to completely upgrade the Linux OS on the device by over-writing the current image on one partition. I will not want to affect the private keys stored this way, and the new OS should be able to access the keys in the same way as the last one from the separate partition. Is this a common way to go about it?
Would dm-crypt work for this? I don't understand however how this works on the low-level. Will the new Linux OS in which I install be able to decrypt my private partition in the same way the previous Linux did? What is to stop anybody from decrypting and viewing my private keys if they hacked into the device?
debian partition encryption dm-crypt beagleboneblack
asked Dec 10 at 19:48
Engineer999
1143
closed as too broad by G-Man, RalfFriedl, Thomas, schily, 0xC0000022L Dec 12 at 14:16
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
4
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58
add a comment |
I am using a BeagleBone Black board running Debian.
My intention is to create a separate encrypted partition to store private keys in the internal emmc. The keys are used for SSL communication. The main intention of course is to keep the keys secure so nobody can read them. I know that using a TPM or HSM is the right solution this , but I want to see if I can do something without one and just store the keys in normal flash.
The reason I need a separate partition is that sometimes I will want to completely upgrade the Linux OS on the device by over-writing the current image on one partition. I will not want to affect the private keys stored this way, and the new OS should be able to access the keys in the same way as the last one from the separate partition. Is this a common way to go about it?
Would dm-crypt work for this? I don't understand however how this works on the low-level. Will the new Linux OS in which I install be able to decrypt my private partition in the same way the previous Linux did? What is to stop anybody from decrypting and viewing my private keys if they hacked into the device?
debian partition encryption dm-crypt beagleboneblack
asked Dec 10 at 19:48
Engineer999
1143
I am using a BeagleBone Black board running Debian.
My intention is to create a separate encrypted partition to store private keys in the internal emmc. The keys are used for SSL communication. The main intention of course is to keep the keys secure so nobody can read them. I know that using a TPM or HSM is the right solution this , but I want to see if I can do something without one and just store the keys in normal flash.
The reason I need a separate partition is that sometimes I will want to completely upgrade the Linux OS on the device by over-writing the current image on one partition. I will not want to affect the private keys stored this way, and the new OS should be able to access the keys in the same way as the last one from the separate partition. Is this a common way to go about it?
Would dm-crypt work for this? I don't understand however how this works on the low-level. Will the new Linux OS in which I install be able to decrypt my private partition in the same way the previous Linux did? What is to stop anybody from decrypting and viewing my private keys if they hacked into the device?
debian partition encryption dm-crypt beagleboneblack
debian partition encryption dm-crypt beagleboneblack
asked Dec 10 at 19:48
Engineer999
1143
asked Dec 10 at 19:48
Engineer999
1143
asked Dec 10 at 19:48
Engineer999
1143
asked Dec 10 at 19:48
Engineer999
1143
asked Dec 10 at 19:48
Engineer999
1143
1143
closed as too broad by G-Man, RalfFriedl, Thomas, schily, 0xC0000022L Dec 12 at 14:16
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as too broad by G-Man, RalfFriedl, Thomas, schily, 0xC0000022L Dec 12 at 14:16
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
4
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58
add a comment |
4
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58
4
4
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58
add a comment |
1 Answer
1
active
oldest
votes
Encryption techniques are effective for protecting Data At Rest (DAR). However, once the data are decrypted, the data are available for, at least, the user who performed the decryption and the root user.
Regarding your question, it's not clear what purpose the encrypted storage serves. If the purpose is to store key material for a long time, then a cryptographic storage location is appropriate. However, it's better for such storage to be maintained offline. This is called Cold Storage.
You've indicated that you are looking to store TLS private keys. However, TLS keys are required to be kept online, and in most cases, in memory as well as on the active filesystem. So, the questions begin to pile up a bit here.
The question becomes a little more clear if you've created a self-signed root certificate along with the key. The private keys for such a system should be kept offline and in cryptographic Cold Storage as well.
Further Reading:
OWASP Cryptographic Storage Cheat Sheet
answered Dec 10 at 20:58
RubberStamp
1,7901518
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Encryption techniques are effective for protecting Data At Rest (DAR). However, once the data are decrypted, the data are available for, at least, the user who performed the decryption and the root user.
Regarding your question, it's not clear what purpose the encrypted storage serves. If the purpose is to store key material for a long time, then a cryptographic storage location is appropriate. However, it's better for such storage to be maintained offline. This is called Cold Storage.
You've indicated that you are looking to store TLS private keys. However, TLS keys are required to be kept online, and in most cases, in memory as well as on the active filesystem. So, the questions begin to pile up a bit here.
The question becomes a little more clear if you've created a self-signed root certificate along with the key. The private keys for such a system should be kept offline and in cryptographic Cold Storage as well.
Further Reading:
OWASP Cryptographic Storage Cheat Sheet
answered Dec 10 at 20:58
RubberStamp
1,7901518
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
add a comment |
Encryption techniques are effective for protecting Data At Rest (DAR). However, once the data are decrypted, the data are available for, at least, the user who performed the decryption and the root user.
Regarding your question, it's not clear what purpose the encrypted storage serves. If the purpose is to store key material for a long time, then a cryptographic storage location is appropriate. However, it's better for such storage to be maintained offline. This is called Cold Storage.
You've indicated that you are looking to store TLS private keys. However, TLS keys are required to be kept online, and in most cases, in memory as well as on the active filesystem. So, the questions begin to pile up a bit here.
The question becomes a little more clear if you've created a self-signed root certificate along with the key. The private keys for such a system should be kept offline and in cryptographic Cold Storage as well.
Further Reading:
OWASP Cryptographic Storage Cheat Sheet
answered Dec 10 at 20:58
RubberStamp
1,7901518
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
add a comment |
Encryption techniques are effective for protecting Data At Rest (DAR). However, once the data are decrypted, the data are available for, at least, the user who performed the decryption and the root user.
Regarding your question, it's not clear what purpose the encrypted storage serves. If the purpose is to store key material for a long time, then a cryptographic storage location is appropriate. However, it's better for such storage to be maintained offline. This is called Cold Storage.
You've indicated that you are looking to store TLS private keys. However, TLS keys are required to be kept online, and in most cases, in memory as well as on the active filesystem. So, the questions begin to pile up a bit here.
The question becomes a little more clear if you've created a self-signed root certificate along with the key. The private keys for such a system should be kept offline and in cryptographic Cold Storage as well.
Further Reading:
OWASP Cryptographic Storage Cheat Sheet
answered Dec 10 at 20:58
RubberStamp
1,7901518
Encryption techniques are effective for protecting Data At Rest (DAR). However, once the data are decrypted, the data are available for, at least, the user who performed the decryption and the root user.
Regarding your question, it's not clear what purpose the encrypted storage serves. If the purpose is to store key material for a long time, then a cryptographic storage location is appropriate. However, it's better for such storage to be maintained offline. This is called Cold Storage.
You've indicated that you are looking to store TLS private keys. However, TLS keys are required to be kept online, and in most cases, in memory as well as on the active filesystem. So, the questions begin to pile up a bit here.
The question becomes a little more clear if you've created a self-signed root certificate along with the key. The private keys for such a system should be kept offline and in cryptographic Cold Storage as well.
Further Reading:
OWASP Cryptographic Storage Cheat Sheet
answered Dec 10 at 20:58
RubberStamp
1,7901518
answered Dec 10 at 20:58
RubberStamp
1,7901518
answered Dec 10 at 20:58
RubberStamp
1,7901518
answered Dec 10 at 20:58
RubberStamp
1,7901518
1,7901518
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
add a comment |
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
I've created a self -signed certificate yes. The private key for the root certificate could be stored offline I agree but the private key for the device certificate must be available on the device always when I wish to start a TLS session? I'm just trying to understand if dm-crypt , or in general encrypting the partition where the key/keys will be stored is of much use to me.
– Engineer999
Dec 11 at 10:02
add a comment |
4
It isn't clear what the relevance of BeagleBone Black is. If this is just a question about dm-crypt, then I think it would be better if you focused on only what is relevant. On the other hand, if BeagleBone Black has some bearing on the answer, please clarify what you think the difference is.
– cryptarch
Dec 10 at 20:51
The fact that I have a small amount of internal flash memory to partition is why I mentioned the BBB. There might be different answers if I speak about a full hard disk available to me to partition. I want to be more specific as to what I'm working on just.
– Engineer999
Dec 11 at 9:58