Исправление PPP328, (текущая версия) :
Provisioning Provisioning is the process whereby the encrypted host is enabled for automatic decryption at boot. This process presumes that the disk is already encrypted at install time using a recovery key. Alternatively, the provisioning process can be cooked into Anaconda directly.
Generate a random key
Add the random key to LUKS
Encrypt the random key to the Petera server's encryption certificate (online or offline operation)
Store the encrypted random key on the local (encrypted) disk
Copy the encrypted random key into the initramfsNo data is ever stored on the Petera server. This entire procedure can be performed offline if the Petera server's encryption certificate is known.
Acquisition These are the steps that occur in the initramfs in order to decrypt the root volume.
Bring up the network Connect to the Petera server and validate the TLS certificate (including stapled OCSP)
Send the encrypted random key to the Petera server
Receive the (decrypted) random key from the Petera server
Use the random key to decrypt the diskThis process is entirely automated and the random key can only ever be decrypted by the Petera server. This requires network connectivity, but no authentication is needed.
Чет вообще не сочетается с заявленным. Ваша атака по прежнему осуществима. Скопировать сгенерированный ключ и послать его на наш сервер по прежнему не проблема.
Исходная версия PPP328, :
Provisioning Provisioning is the process whereby the encrypted host is enabled for automatic decryption at boot. This process presumes that the disk is already encrypted at install time using a recovery key. Alternatively, the provisioning process can be cooked into Anaconda directly.
Generate a random key
Add the random key to LUKS
Encrypt the random key to the Petera server's encryption certificate (online or offline operation)
Store the encrypted random key on the local (encrypted) disk
Copy the encrypted random key into the initramfsNo data is ever stored on the Petera server. This entire procedure can be performed offline if the Petera server's encryption certificate is known.
Acquisition These are the steps that occur in the initramfs in order to decrypt the root volume.
Bring up the network Connect to the Petera server and validate the TLS certificate (including stapled OCSP)
Send the encrypted random key to the Petera server
Receive the (decrypted) random key from the Petera server
Use the random key to decrypt the diskThis process is entirely automated and the random key can only ever be decrypted by the Petera server. This requires network connectivity, but no authentication is needed.
Чет вообще не сочетается с заявленным. Ваша атака по прежнему осуществима. Скопировать сгенерированный ключ и послать его на наш сервер не по прежнему не проблема.