From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 36C1A138CA3 for ; Sat, 9 May 2015 18:16:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BFE96E08BF; Sat, 9 May 2015 18:16:08 +0000 (UTC) Received: from mail-ie0-f176.google.com (mail-ie0-f176.google.com [209.85.223.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B2E97E08A8 for ; Sat, 9 May 2015 18:16:07 +0000 (UTC) Received: by ieczm2 with SMTP id zm2so84202530iec.2 for ; Sat, 09 May 2015 11:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=UsoXI1lBSfgEQo2BoouUFlcUeZGph49doAht33cXY3Y=; b=n6KGIvHSJkZxf2vBf0rUKJ3TxkJReVpdXXBAjiFbKeYUulUAGVp5rxAMw2SzRrS1UM onrm7hQOsPKPlQH5/sfZ51LR/fOl9jR721jqrWnqlATZqFnocS+5UDSbh5tlO9yKiJzm rpzBUm/sG/5RKd0UKAj6UXOv2Ccflt/4jCMIalWoHKrge6DUW/+uewVwDfqoTNSTAIq1 vJ/kD8wX8qtU4iTPjDI5yjlguR1ZkxgFQB3akbN4MuLVkkU3UfuFl5ioL2n9gZdoS5aN qSLCd+Y/8L0o7flQR2FKnzrjaC9oHA186qR2oOOLRy1V/cCQPQQtT8T4WZ9144Va+eaF tlyw== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.42.81.201 with SMTP id a9mr3954198icl.9.1431195365626; Sat, 09 May 2015 11:16:05 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.107.48.66 with HTTP; Sat, 9 May 2015 11:16:05 -0700 (PDT) In-Reply-To: <20150509144620.GC25204@ns1.bonedaddy.net> References: <55407695.7000808@gmail.com> <20150429085217.38864030@hactar.digimed.co.uk> <5547221E.4020809@gmail.com> <20150504084626.26fbbbd8@digimed.co.uk> <55472C94.1080606@gmail.com> <20150504113149.0f61d4f9@digimed.co.uk> <55474C99.9090406@gmail.com> <20150504122636.4afc2e81@digimed.co.uk> <554DE7CC.4070707@gmail.com> <20150509144620.GC25204@ns1.bonedaddy.net> Date: Sat, 9 May 2015 14:16:05 -0400 X-Google-Sender-Auth: BWMhlLV_-T9VuFRjn7Rq-YwY2x4 Message-ID: Subject: Re: [gentoo-user] Hard drive storage questions From: Rich Freeman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 35dc2e92-1c28-447c-b9fc-630472a20f98 X-Archives-Hash: 89b6bd53cd34e7ebc98484c57d0c051a On Sat, May 9, 2015 at 10:46 AM, Todd Goodman wrote: > > As for keys, you could use Amazon's AWS Key Management Service. > Of course they could be sitting there gathering keys, but at some point > you either have to trust they'll do what they say or simply decide not > to use them at all (IMNHO.) That is really intended more for credentials used for hosted systems to communicate with other services/each other/etc. If you have to have your credentials in the cloud, then you might as well have a somewhat secure way to manage them. However, that is clearly inferior to not putting credentials in the cloud in the first place. > > You could also use AWS Key Management for backup data you want > "reasonably" secured and then your own keys for data you want more > highly secured (hopefully much smaller so the verify costs are more > reasonable.) > I just don't frequently verify my backups. I'm willing to trust Amazon to have my data when I ask for it. That is their entire business model with S3 and they're probably one of the stronger links in the data security chain. If I'm going to be paranoid about that, I'm going to probably have other things I'd prefer to improve first. I keep copies of my backup keys in a few places. My thread model is somebody hacking my account looking for personal data (finances/keys/whatever). If they hack into Amazon they won't have the necessary keys. If somebody manages to steal one of my keys in safekeeping elsewhere, they won't have access to any of the data encrypted using the key. If the NSA or whoever is going to access my Amazon data and also ask my bank to open my safe deposit box or whatever, then more power to them. I run a tor node, so they've probably rooted my box anyway. -- Rich