Deleted old topic

Deleted old topic Deleted old topic

No, there is no such way.


show me a router with an encrypted filesystem!

Deleted old topic Deleted old topic

this is the first time I hear something like that. Which routers exactly?

most newer ones like hg630 v2 , hg658 v2 have encrypted xml config file and its stored as encrypted xml (same file) in the jffs2 partition in /etc , other routers stores config in a other partition which is mounted like /config or something.

EDIT: i am not 100% sure where the encrypted config is stored in the routers i mentioned right now but i know that its stored encrypted because 1- i extracted a dump found on the net and all configs that i found were encrypted , 2-the default factory config which is in /etc/ is also encrpted.

okay, nice to know
but I think it is easier to make sure the router doesn't get in to wrong hands, than to encrypt the config files.
encryption uses the cpu a lot and the cpu should focus on routing and so on, in my opinion.

Deleted old topic Deleted old topic

In order to decrypt the config, the encryption key has to be stored on the same system so this measure sounds like useless obfucscation to me.

Real encryption solutions like used on Desktops or Laptops require the user to enter the decryption passphrase on each boot which hardly makes sense on headless embedded appliances.

Deleted old topic Deleted old topic

two thoughts

  • who has access to your home to get physical acces to your router?
    and when he has access, he will take the usb stick too
  • what important informations are in your config files?

As far as I can tell the encryption that Huawei employs is not there to secure the user/owner, but really to avoid tinkering with ISP supplied hardware to keep the support costs down... As @jow explains this is not directed against external threats but really against the local admin... (For rented or leased equipment that IMHO seems fair enough, but for fully purchased equipment that is rather user hostile).

Deleted old topic Deleted old topic

Deleted old topic Deleted old topic

I think the easiest way is to put your router in a cage or something like that.

Deleted old topic Deleted old topic

the only real problem if i need to go to a repair shop to repair the board if
something happens on the long run or any other situation where i am forced to
give the router to someone for some reason, or it being stolen from me while
travelling or something but at home it will mostly ok

Well, a repair show is either going to replace the board (and the config), or
they will need access to the config.

If you are worried about people reading the config when you travel, erase it and
load it from a file on your laptop when you get to the destination (secure the
file on your laptop as appropriate)

encryption at rest with transparent decryption at startup by the OS is security
theater more than real security. If your OS can read everything without needing
specific authorization, then so can bad guys running software in your OS. The
only think this protects against is if someone steals the storage media, but
doesn't steal the OS media that has the decryption keys in it. Even in
Enterprise situations, this isn't very likely, and on a LEDE device, you don't
have the separate storage media.

David Lang

Deleted old topic Deleted old topic

really? forget about the money or jewelry, they are looking for routers ... :smiley:

if you are this worried about your router, I don't want to know how you secure your house, car and stuff like that.

Deleted old topic Deleted old topic