[Discuss] NAS Folder Encryption
Rich Braun
richb at pioneer.ci.net
Fri Apr 24 14:33:37 EDT 2015
aldo_albanese <aldo_albanese at yahoo.com> clarified:
> The system is connected thru the Internet so it can be accessed
> everywhere of course with a password. I use it at home ...
OK so let's expand on this use-case a bit. First, a little history from where
I sit in California. In 2009, a guy named David Riley got pulled over for an
expired registration. Cops made a warrantless search of his mobile phone
against his wishes, and the case since then has made it all the way to the
U.S. Supreme Court. Authorities in California repeatedly ruled against privacy
rights for personal computing devices (mobile in this case, potentially
home-based servers as well). Read more about the US Supreme Court's reversal
of this 9 months ago at:
http://www.nytimes.com/2014/06/26/us/supreme-court-cellphones-search-privacy.html
Developers at Apple were paying attention, and shoved a middle-finger in the
FBI's face when they created a hardened solution for this use-case.
If you pry an iPhone open, extract its flash memory chip, and attempt to
decrypt it: you will fail. (I think Android can also resist this type of
police intrusion.) Unlike the Android, though, with an iPhone you can rest
assured that even if extra effort is made to keep the device powered up as you
extract flash memory contents, you'll also find the data encrypted. Apple
created an ingenious mechanism for tying its folder-locking method to its
screensaver: when screensaver is activated, the decryption keys are wiped. FBI
authorities have expressed concern that this is too hard to break, but so far
Apple's put consumer privacy first. It's not perfect, a lot of your data isn't
protected, but the design is sound (a short discussion of its vulnerabilities:
http://www.zdziarski.com/blog/?p=2149).
Here's what I want for my home server, which like Aldo's is accessible via the
Internet: I want all sensitive files (e.g., tax forms, business records,
personal correspondence) kept encrypted AT ALL TIMES except when I'm actually
looking at them. If I could activate/deactivate the LUKS encryption keys via
the screen-lock utility (on a desktop/laptop separate from the server), that'd
solve a lot of this problem without having to constantly retype a password
(indeed, having to type a password introduces key-logger vulnerabilities that
I want to avoid).
An Internet intrusion is far likelier than a home burglary, so until this
capability comes along, my files are vulnerable (even with LUKS encryption) as
long as the volumes are mounted.
-rich
More information about the Discuss
mailing list