BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- Subject: [Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- From: richb at pioneer.ci.net (Rich Braun)
- Date: Wed, 1 Oct 2014 09:06:28 -0700
Discussion on this topic has veered from the technical -- what's the state of open-source or low-cost key-server and encryption software today -- to the tactical: why bother? I'll address the why-bother: I live in the heart of the tech capital of the world, San Francisco. The city is seeing a surge in property crimes, and a crook not only grabbed a laptop right out of the bedroom but if he'd chosen to do so, could have gotten one or more of the servers which contain a lifetime of private data. The use-case is pretty trivial to describe: if a server is lost to a future theft, I'd lose sleep over the what-if scenarios of crooks who have enough savvy to fence stolen hard-drives to organized extortion rings or others who are able to exploit stolen data. That's a far-fetched scenario, perhaps, in a far-flung suburb of Boston but I'm not crazy to defend against it here in SF. I will repeat the acceptance-criteria that I raised in my OP: (a) the keys are convenient, readily accessible at every reboot (b) the keys can't readily fall into the wrong hands (c) infrequently-accessed filesystems aren't accessible except when needed (d) generated keys and pass-phrases have sufficient entropy (e) the keys and pass-phrases can survive *me* (e.g. by somehow keeping an up-to-date version in a bank safe-deposit box in case I get hit by the proverbial bus) My model for this is the commercial key-storage systems (and/or HSMs) sold by companies like SafeNet and Vormetric. Running through the installation procedure for Debian/Ubuntu would, of course, encrypt the root filesystems but that's not my question: I know /how/ to run cryptsetup on filesystems of my existing already-installed servers. But I want to address the issues above which aren't addressed by merely typing a pass-phrase into an installation script, hoping for the best, and avoiding getting hit by a bus or forgetting the pass-phrase (which by the way I do all the time: I am forever hitting the forgot-password links at the myriad websites which require PW auth). Security is really much harder than you think. My employer pays huge bucks for me to think about this on the job, and I can't help but to think about it for my personal data as well. -rich
- Follow-Ups:
- [Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- From: bill at horne.net (Bill Horne)
- [Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- Prev by Date: [Discuss] CipherShed: TrueCrypt fork
- Next by Date: [Discuss] CipherShed: TrueCrypt fork
- Previous by thread: [Discuss] Shellshock
- Next by thread: [Discuss] Back to the OP: Re: Server/laptop full-disk encryption
- Index(es):
