I suspect they have a base OS installation and then have a post-boot encrypted partition which requires manual passphrase entry over ssh or console to unlock, containing all the relevant data. That's a pretty normal way to set up remotely-adminned fairly secure servers.
When it's "cold" (offline, or running but in system-low mode), you have no real protection of the OS, but you essentially distrust the machine whenever it gets rebooted without your consent. If someone can get root on the server while it's in "high mode" (normal operation, after keys are entered), any protections are irrelevant anyway.
The risk is if the attacker can cause enough reboots that you stop caring about reboots so much, and just blindly enter the passphrase; the attacker then puts up something which steals the passphrase, and then uses the passphrase on an already-imaged drive, winning the game. Or if the attacker can use one of a large number of vulnerabilities to get access to your data when it's running in system-high mode; either an app-level vulnerability or either local access + local root, or remote root.
Server technology sucks for anything needing great security but adminned strictly remotely.
> I suspect they have a base OS installation and then have a post-boot encrypted partition which requires manual passphrase entry over ssh or console to unlock, containing all the relevant data. That's a pretty normal way to set up remotely-adminned fairly secure servers.
Debian and Ubuntu both support this pretty painlessly.
1) Do the base install with full disk encryption.
2) Put an ssh public key into /root/.ssh/authorized_keys
3) Install dropbear.
4) Force a initramfs rebuild if it doesn't happen automatically.
You'll get an initramfs that has dropbear ssh embedded which you can log into and unlock the disk.
Right, but there's no real proof the dropbear/sh/etc. you talk to is untampered after reboot; it could easily be logging, if someone shut your system down and replaced the boot drive. ssh vs. serial console at least requires they extract some (unencrypted) key from the drive, though.
When it's "cold" (offline, or running but in system-low mode), you have no real protection of the OS, but you essentially distrust the machine whenever it gets rebooted without your consent. If someone can get root on the server while it's in "high mode" (normal operation, after keys are entered), any protections are irrelevant anyway.
The risk is if the attacker can cause enough reboots that you stop caring about reboots so much, and just blindly enter the passphrase; the attacker then puts up something which steals the passphrase, and then uses the passphrase on an already-imaged drive, winning the game. Or if the attacker can use one of a large number of vulnerabilities to get access to your data when it's running in system-high mode; either an app-level vulnerability or either local access + local root, or remote root.
Server technology sucks for anything needing great security but adminned strictly remotely.