Gentoo Archives: gentoo-user

From: Matti Nykyri <matti.nykyri@×××.fi>
To: "gentoo-user@l.g.o" <gentoo-user@l.g.o>
Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Date: Mon, 02 Jun 2014 12:58:43
Message-Id: 804C80CA-09EB-4D11-AC06-D7AAFE836C90@iki.fi
In Reply to: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? by godzil
1 On Jun 2, 2014, at 15:36, godzil <godzil@××××××.net> wrote:
2
3 > Le 2014-06-02 13:23, Matti Nykyri a écrit :
4 >> On Jun 2, 2014, at 16:40, "J. Roeleveld" <joost@××××××××.org> wrote:
5 >> Well i have a switch in the door of the server room. It opens when you
6 >> open the door. That signals the kernel to wipe all the encryption keys
7 >> from kernel memory. Without the keys there is no access to the disks.
8 >> After that another kernel is executed which wipes the memory of the
9 >> old kernel. If you just pull the plug memory will stay in its state
10 >> for an unspecified time.
11 >> Swap uses random keys.
12 >> network switches and routers get power only after firewall-server is
13 >> up and running.
14 >> There is no easy way to enter the room without wipeing the encryption
15 >> keys. Booting up the server requires that a boot disk is brought to
16 >> the computer to decrypt the boot drive. Grub2 can do this easily. This
17 >> is to prevent some one to tamper eith a boot loader.
18 >> System is not protected against hardware tamperment. The server room
19 >> is an RF-cage.
20 >> I consoder this setup quite secure.
21 >
22 > It's nice to encrypt and wipe things automatically, but what about the backups?
23
24 Well i have backups on their own drive with its own keys. I have backups of the keys in another location. The drives are LUKS drivers with detached LUKS info.
25
26 --
27 -Matti

Replies