View Single Post
  #4   (View Single Post)  
Old 28th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,354
Default

Physical access is physical access. There is nothing to stop someone with it from doing whatever they want. e.g.: copying your read-only data somewhere else and modifying it. In that case, the only way to prevent access to encrypted data is to NOT leave the keys in unencrypted media.

The purpose of making a filesystem read-only is to prevent changes to it in the event someone is able to acquire superuser power remotely. This can be as simple as using a read only device, or setting the schg flag on all files in the filesystem.

If you don't trust those with physical access, either place your hardware in a trusted environment, or don't use OpenBSD.
Reply With Quote