brent timothy saner on 9 Mar 2014 12:54:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Encrypting Sensitive Personal Information In the Cloud?

Hash: SHA1

On 03/09/2014 02:52 PM, Rich Freeman wrote:
> Some thoughts regarding a few ideas that came up on this list: 1.
> An encrypted filesystem using LUKS is convenient, but doesn't 
> actually move anything offsite.  You'll still want some kind of 
> offsite encrypted backup solution on top of that if you care about 
> security.  I might suggest duplicity, which can gpg encrypt and
> dump files on s3 automatically - I'm doing that for my home
> backups.

the example i provided creates a loopback setup- meaning you're
creating a filesystem *on a file*. which can be easily (and safely)
moved offsite.

> 2.  A risk with an encrypted filesystem using LUKS is that if 
> something does go wrong recovery may be more difficult.  I think
> that LUKS is just a block-based solution so I don't think that is a
> huge risk, but if something goes wrong with your encryption layer
> you may be hosed.  If this is just a local backup solution and you
> can verify data was written cleanly before moving it offsite or
> whatever then that isn't a problem.  If you're just going to work
> directly on a LUKS drive then that is just another reason to have a
> backup somewhere.

LUKS has a great legacy behind it and is quite stable. i use it for
all my mobile computing devices- have been for about 7 years now- and
have not once had an issue.

except forgetting the passphrase/losing the key file, because if you
do that, you have no other option except dd if=/dev/zero of=/dev/sda.
there's a reason LUKS is considered secure- nobody's broken it, and
it'd be extremely difficult to do so even in approach, let alone a
functional execution or even a proof-of-concept.

> Honestly, you might want to look at duplicity just as an archiving 
> solution - run it once on a directory and point it at s3 and
> you'll get an encrypted backup.

OP mentioned wanting to avoid GPG explicity- but if he didn't,
duplicity (or boxbackup[0]) would be pretty close to what he wants.
both are, however, somewhat too full of overhead for the original
question- the solution i provided a couple replies back (re: loopback
LUKS) is all core linux stuff these days with the exception of
cryptsetup and git. dealing with your encrypted archive as a
filesystem in and of itself is <3 (bonus: with some xorriso hacking,
you can create optical media backups directly from the image file
itself for local archival)


Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --