[plug] Encrypted WD Mybook Live

Brad Campbell brad at fnarfbargle.com
Tue Nov 13 13:52:13 WST 2012


On 13/11/12 13:33, Tim White wrote:
>
> Thanks for sharing Brad. I hadn't really considered the data side of
> having things stolen. I've constantly turned down the encrypted home
> option on installs, as I didn't see the need for it (desktop machines,
> don't have a laptop). I've always been worried about a few things,
> performance impact, and loss of encryption key (as from memory, it's a
> proper 2 way encryption key, protected with a password).

I backed up all superblocks, key blocks and configuration information 
unencrypted on several identical CD's and I have those stored in trusted 
friends safes. I also have a passphrase protected usb key with each cd 
that can be used to unlock the machines (except the Mybook - no USB 
port) in case the keyserver gets hit. They are my "hail Mary pass".

I've used luks to make the config easier, and luks has utilities for 
backing up anything you might need if you do something dumb (a far more 
likely proposition than having it stolen).

None of these machines have encrypted root, only partitions where data 
is stored (including swap). Encrypted root appears to require quite a 
bit of additional futzing around to make it work.

The big save for me is the remote keyserver. The only machine that has a 
human friendly passphrase is my laptop.

Recognising that the threat is physical theft, it's been an interesting 
excersize in "how can I achieve this" without having to :
(a) remember a long passphrase
(b) use manual intervention to unlock after a power failure (or kernel 
panic)
(c) guarantee that there is nothing that can be stolen with the machine 
that can be used to unlock it

I suppose if I got really, really paranoid I could tie my alarm system 
to the EPO on the UPS's, but then I'd end up rebooting every time the 
wife forgot to put the dog outside before arming!




More information about the plug mailing list