From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0262D1381FA for ; Mon, 2 Jun 2014 13:30:04 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 255C3E0B95; Mon, 2 Jun 2014 13:29:50 +0000 (UTC) Received: from mo7.mail-out.ovh.net (8.mo7.mail-out.ovh.net [46.105.77.114]) by pigeon.gentoo.org (Postfix) with ESMTP id E8AB1E0B8E for ; Mon, 2 Jun 2014 13:29:48 +0000 (UTC) Received: from mail331.ha.ovh.net (b6.ovh.net [213.186.33.56]) by mo7.mail-out.ovh.net (Postfix) with ESMTP id 33C96FF873A for ; Mon, 2 Jun 2014 15:29:48 +0200 (CEST) Received: from ssl0.ovh.net (localhost [127.0.0.1]) by mail331.ha.ovh.net (Postfix) with ESMTPA id 4065F26005C for ; Mon, 2 Jun 2014 15:29:51 +0200 (CEST) Received: from 57ob.scansafe.net ([80.254.146.140]) by ssl0.ovh.net with HTTP (HTTP/1.1 POST); Mon, 02 Jun 2014 15:29:51 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 02 Jun 2014 14:29:51 +0100 From: godzil To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here =?UTF-8?Q?yet=3F?= In-Reply-To: <804C80CA-09EB-4D11-AC06-D7AAFE836C90@iki.fi> References: <538B1D0A.9070405@libertytrek.org> <20140602115624.214cbdbe@hactar.digimed.co.uk> <4689987.1Rn3xYxY0i@andromeda> <727112c3cda6ed9f4e944a735556b584@ssl0.ovh.net> <804C80CA-09EB-4D11-AC06-D7AAFE836C90@iki.fi> Message-ID: <167713ed7be1508339cf1fec03052889@ssl0.ovh.net> X-Sender: godzil@godzil.net User-Agent: Roundcube Webmail/0.9.5p X-Originating-IP: 80.254.146.140 X-Ovh-Tracer-Id: 8957378184543733591 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeejvddrieejucetufdoteggodetrfcurfhrohhfihhlvgemucfqggfjnecuuegrihhlohhuthemuceftddtnecu X-Archives-Salt: 5aad4f4a-eefc-4564-be23-7aa43c4cb6bb X-Archives-Hash: ad3f94c8232d3d334ae7551918d907a7 So you backup on harddrive, not tape and theses are not incremental backups. But my question about backup was not only for you but for all that encrypt their servers. The backup part is generally the weakest point. Le 2014-06-02 13:58, Matti Nykyri a écrit : > On Jun 2, 2014, at 15:36, godzil wrote: > >> Le 2014-06-02 13:23, Matti Nykyri a écrit : >>> On Jun 2, 2014, at 16:40, "J. Roeleveld" wrote: >>> Well i have a switch in the door of the server room. It opens when >>> you >>> open the door. That signals the kernel to wipe all the encryption >>> keys >>> from kernel memory. Without the keys there is no access to the disks. >>> After that another kernel is executed which wipes the memory of the >>> old kernel. If you just pull the plug memory will stay in its state >>> for an unspecified time. >>> Swap uses random keys. >>> network switches and routers get power only after firewall-server is >>> up and running. >>> There is no easy way to enter the room without wipeing the encryption >>> keys. Booting up the server requires that a boot disk is brought to >>> the computer to decrypt the boot drive. Grub2 can do this easily. >>> This >>> is to prevent some one to tamper eith a boot loader. >>> System is not protected against hardware tamperment. The server room >>> is an RF-cage. >>> I consoder this setup quite secure. >> >> It's nice to encrypt and wipe things automatically, but what about the >> backups? > > Well i have backups on their own drive with its own keys. I have > backups of the keys in another location. The drives are LUKS drivers > with detached LUKS info.