[teddyh]

> Just pull one hdd out,

That only works with RAID 1. If the server uses RAID 5 or RAID 6, this won’t work.

> extract what you need

Well, yes. This is addressed in the FAQ.

> or change the image.

> Then you turn off the server, and just start a vm with the captured init and capture the key.

Well, as explained in the FAQ, an attacker will have to do so quickly, before the Mandos server decides that the Mandos client has been offline for too long, and disables that client. The default value is five minutes, but is configurable per client.

[neocron]

Why wouldn't this work with Raid5? One of my raid5 hdds cought fire and the server was still running. Talking about mdadm in this case.

5 minutes is plenty to boot initrd from a vm... what's that gonna take? 10 seconds?

[Terr_]

I assume they're saying it won't work because the suggestion is to "pull one" HDD out.

With RAID 5, pulling 1/3 gives you only partial data, and pulling 2/3 removes too much so the system can't run.

[neocron]

Ok, that is assuming /boot is ON the raid which I wouldn't want to rate for probability

But even if it is, you could just pull one after the other and wait for the resilver before pulling the next one (you will hear if it resilvers automatically)