Sam Gleske on 17 Apr 2012 14:15:22 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Server credential storage best practices


As for passwords and account information you should use something like Keepass.  It's a great utility, secure, and designed for just that.  As for client information and other misc files (word documents, financial data, spreadsheets, etc.) which you can't keep in a keepass database (nor should you) I recommend using TrueCrypt.  TrueCrypt allows you to create mountable volumes which are encrypted.  Using software like that which is designed and battle tested should have higher weight than homebrew scripts.  As much as I like openssl, it's not really intended for hundreds of documents at once.  Use the right tool for the right job.

Before storing anything off-site on servers which you don't control you should be aware of the risks.  I notice people are recommending DropBox but around June of last year there was failure in which all user files were open to world without authentication nor notice to the user.
http://itknowledgeexchange.techtarget.com/cio/vulnerability-in-dropbox-security-leaves-user-accounts-wide-open/

Also Dropbox has stated that their service is not intended as a backup service but a file syncing service.  So if you store your files there as a backup there's no guarantee that they'll be there the next day if XYZ dropbox server goes down.  I'm not saying Dropbox is a bad idea, as long as you secure your files before storing them on Dropbox, but you should be aware of the implications.  Dropbox shouldn't be your only backup copy.  Preferably use something off-site that you control as a back-up only for your encrypted files.  You should imagine if someone stole your laptop, would you be in dire straights?  Make lots of secure copies (i.e. secure first in truecrypt and then backup the tc volume).  It is best to evaluate all of your options and make your own informed decision.  You should put security above all else since it's business data.

To reiterate and emphasize again:
  1. Keepass for password and account information - http://keepass.info/
  2. TrueCrypt for storing all business related data (including the keepass file) - http://www.truecrypt.org/

SAM
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug