|
|
|
|
|
|
by noodlesUK
2191 days ago
|
|
|
This is a very hard problem to solve. It isn’t possible to prevent a well-resourced determined adversary from getting into such a device (iPhones are some of the most well locked-down devices in the world, and there are still jailbreaks). For ordinary hardware you’re probably looking at using something like a TPM, which can be used to decrypt drives based on the state of the bios and hardware. Your best bet is to have trustworthy customers and strong legal protections. If that’s not good enough, a TPM will be the next best thing. Have a look at the red hat documentation on how to set up a TPM for LUKS. Also be sure to set up secure boot correctly with a custom key and lock the BIOS. https://access.redhat.com/documentation/en-us/red_hat_enterp... Edit: I’m reading through your question again. In terms of secrets used to communicate with a back end, it’s very very very important that the secrets used for each device/customer are different, and can be revoked. If you’ve got something like AWS access keys in there, don’t. Use per-user secrets that aren’t the keys to the kingdom. |
|
|