Gentoo Archives: gentoo-user

From: godzil <godzil@××××××.net>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
Date: Mon, 02 Jun 2014 13:30:04
Message-Id: 167713ed7be1508339cf1fec03052889@ssl0.ovh.net
In Reply to: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet? by Matti Nykyri
1 So you backup on harddrive, not tape and theses are not incremental
2 backups.
3
4 But my question about backup was not only for you but for all that
5 encrypt their servers.
6
7 The backup part is generally the weakest point.
8
9
10 Le 2014-06-02 13:58, Matti Nykyri a écrit :
11 > On Jun 2, 2014, at 15:36, godzil <godzil@××××××.net> wrote:
12 >
13 >> Le 2014-06-02 13:23, Matti Nykyri a écrit :
14 >>> On Jun 2, 2014, at 16:40, "J. Roeleveld" <joost@××××××××.org> wrote:
15 >>> Well i have a switch in the door of the server room. It opens when
16 >>> you
17 >>> open the door. That signals the kernel to wipe all the encryption
18 >>> keys
19 >>> from kernel memory. Without the keys there is no access to the disks.
20 >>> After that another kernel is executed which wipes the memory of the
21 >>> old kernel. If you just pull the plug memory will stay in its state
22 >>> for an unspecified time.
23 >>> Swap uses random keys.
24 >>> network switches and routers get power only after firewall-server is
25 >>> up and running.
26 >>> There is no easy way to enter the room without wipeing the encryption
27 >>> keys. Booting up the server requires that a boot disk is brought to
28 >>> the computer to decrypt the boot drive. Grub2 can do this easily.
29 >>> This
30 >>> is to prevent some one to tamper eith a boot loader.
31 >>> System is not protected against hardware tamperment. The server room
32 >>> is an RF-cage.
33 >>> I consoder this setup quite secure.
34 >>
35 >> It's nice to encrypt and wipe things automatically, but what about the
36 >> backups?
37 >
38 > Well i have backups on their own drive with its own keys. I have
39 > backups of the keys in another location. The drives are LUKS drivers
40 > with detached LUKS info.