| 1 |
On Sat, May 9, 2015 at 10:46 AM, Todd Goodman <tsg@×××××××××.net> wrote: |
| 2 |
> |
| 3 |
> As for keys, you could use Amazon's AWS Key Management Service. |
| 4 |
> Of course they could be sitting there gathering keys, but at some point |
| 5 |
> you either have to trust they'll do what they say or simply decide not |
| 6 |
> to use them at all (IMNHO.) |
| 7 |
|
| 8 |
That is really intended more for credentials used for hosted systems |
| 9 |
to communicate with other services/each other/etc. If you have to |
| 10 |
have your credentials in the cloud, then you might as well have a |
| 11 |
somewhat secure way to manage them. However, that is clearly inferior |
| 12 |
to not putting credentials in the cloud in the first place. |
| 13 |
|
| 14 |
> |
| 15 |
> You could also use AWS Key Management for backup data you want |
| 16 |
> "reasonably" secured and then your own keys for data you want more |
| 17 |
> highly secured (hopefully much smaller so the verify costs are more |
| 18 |
> reasonable.) |
| 19 |
> |
| 20 |
|
| 21 |
I just don't frequently verify my backups. I'm willing to trust |
| 22 |
Amazon to have my data when I ask for it. That is their entire |
| 23 |
business model with S3 and they're probably one of the stronger links |
| 24 |
in the data security chain. If I'm going to be paranoid about that, |
| 25 |
I'm going to probably have other things I'd prefer to improve first. |
| 26 |
|
| 27 |
I keep copies of my backup keys in a few places. My thread model is |
| 28 |
somebody hacking my account looking for personal data |
| 29 |
(finances/keys/whatever). If they hack into Amazon they won't have |
| 30 |
the necessary keys. If somebody manages to steal one of my keys in |
| 31 |
safekeeping elsewhere, they won't have access to any of the data |
| 32 |
encrypted using the key. If the NSA or whoever is going to access my |
| 33 |
Amazon data and also ask my bank to open my safe deposit box or |
| 34 |
whatever, then more power to them. I run a tor node, so they've |
| 35 |
probably rooted my box anyway. |
| 36 |
|
| 37 |
|
| 38 |
-- |
| 39 |
Rich |
Archives