From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-156140-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 3C5321381FA
	for <garchives@archives.gentoo.org>; Mon,  2 Jun 2014 12:58:43 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D4130E0B02;
	Mon,  2 Jun 2014 12:58:37 +0000 (UTC)
Received: from lyseo.edu.ouka.fi (unknown [82.128.138.2])
	by pigeon.gentoo.org (Postfix) with ESMTP id 79445E0AF2
	for <gentoo-user@lists.gentoo.org>; Mon,  2 Jun 2014 12:58:36 +0000 (UTC)
Received: from [192.168.0.191] (unknown [192.194.217.130])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by lyseo.edu.ouka.fi (Postfix) with ESMTPSA id E7BAD193F988
	for <gentoo-user@lists.gentoo.org>; Mon,  2 Jun 2014 15:58:34 +0300 (EEST)
Subject: Re: [gentoo-user] Demise of Truecrypt - surprised I haven't seen t his discussed here yet?
References: <538B1D0A.9070405@libertytrek.org> <20140602115624.214cbdbe@hactar.digimed.co.uk> <CAGfcS_mZUycViVxkQA41kWm8KQxp7UcRwn3AYPsifyNL8SFEeQ@mail.gmail.com> <4689987.1Rn3xYxY0i@andromeda> <C96E8C03-BDE3-41B4-A0AD-42CE5A8AD009@iki.fi> <727112c3cda6ed9f4e944a735556b584@ssl0.ovh.net>
From: Matti Nykyri <matti.nykyri@iki.fi>
Content-Type: text/plain;
	charset=utf-8
X-Mailer: iPhone Mail (9B206)
In-Reply-To: <727112c3cda6ed9f4e944a735556b584@ssl0.ovh.net>
Message-Id: <804C80CA-09EB-4D11-AC06-D7AAFE836C90@iki.fi>
Date: Mon, 2 Jun 2014 15:58:34 +0300
To: "gentoo-user@lists.gentoo.org" <gentoo-user@lists.gentoo.org>
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0 (1.0)
X-Archives-Salt: 8570ab22-1250-429c-b031-7d710ce74f19
X-Archives-Hash: 9ff7a67b228039a46e49140c684fa8f0

On Jun 2, 2014, at 15:36, godzil <godzil@godzil.net> wrote:

> Le 2014-06-02 13:23, Matti Nykyri a =C3=A9crit :
>> On Jun 2, 2014, at 16:40, "J. Roeleveld" <joost@antarean.org> wrote:
>> Well i have a switch in the door of the server room. It opens when you
>> open the door. That signals the kernel to wipe all the encryption keys
>> from kernel memory. Without the keys there is no access to the disks.
>> After that another kernel is executed which wipes the memory of the
>> old kernel. If you just pull the plug memory will stay in its state
>> for an unspecified time.
>> Swap uses random keys.
>> network switches and routers get power only after firewall-server is
>> up and running.
>> There is no easy way to enter the room without wipeing the encryption
>> keys. Booting up the server requires that a boot disk is brought to
>> the computer to decrypt the boot drive. Grub2 can do this easily. This
>> is to prevent some one to tamper eith a boot loader.
>> System is not protected against hardware tamperment. The server room
>> is an RF-cage.
>> I consoder this setup quite secure.
>=20
> It's nice to encrypt and wipe things automatically, but what about the bac=
kups?

Well i have backups on their own drive with its own keys. I have backups of t=
he keys in another location. The drives are LUKS drivers with detached LUKS i=
nfo.

--=20
-Matti=