[neocron]

Which server today doesnt have Raid? Just pull one hdd out, extract what you need or change the image.

Then you turn off the server, and just start a vm with the captured init and capture the key.

Now you can decrypt the server offline with all the time in the world.

[teddyh]

> Just pull one hdd out,

That only works with RAID 1. If the server uses RAID 5 or RAID 6, this won’t work.

> extract what you need

Well, yes. This is addressed in the FAQ.

> or change the image.

> Then you turn off the server, and just start a vm with the captured init and capture the key.

Well, as explained in the FAQ, an attacker will have to do so quickly, before the Mandos server decides that the Mandos client has been offline for too long, and disables that client. The default value is five minutes, but is configurable per client.

[neocron]

Why wouldn't this work with Raid5? One of my raid5 hdds cought fire and the server was still running. Talking about mdadm in this case.

5 minutes is plenty to boot initrd from a vm... what's that gonna take? 10 seconds?

[Terr_]

I assume they're saying it won't work because the suggestion is to "pull one" HDD out.

With RAID 5, pulling 1/3 gives you only partial data, and pulling 2/3 removes too much so the system can't run.

[neocron]

Ok, that is assuming /boot is ON the raid which I wouldn't want to rate for probability

But even if it is, you could just pull one after the other and wait for the resilver before pulling the next one (you will hear if it resilvers automatically)

[NekkoDroid]

This doesn't work with secure boot and UKIs, since the entire "pre-rootfs switch" is signed in a single binary. If your threat model is what you have that is the least you should have.

[neocron]

Can't I just extract the key from uefi/tmp in this case? Not that it's easy, but with the right tools you can so it offline with all the time in the world