[plug] Encrypted WD Mybook Live
brad at fnarfbargle.com
Tue Nov 13 13:52:13 WST 2012
On 13/11/12 13:33, Tim White wrote:
> Thanks for sharing Brad. I hadn't really considered the data side of
> having things stolen. I've constantly turned down the encrypted home
> option on installs, as I didn't see the need for it (desktop machines,
> don't have a laptop). I've always been worried about a few things,
> performance impact, and loss of encryption key (as from memory, it's a
> proper 2 way encryption key, protected with a password).
I backed up all superblocks, key blocks and configuration information
unencrypted on several identical CD's and I have those stored in trusted
friends safes. I also have a passphrase protected usb key with each cd
that can be used to unlock the machines (except the Mybook - no USB
port) in case the keyserver gets hit. They are my "hail Mary pass".
I've used luks to make the config easier, and luks has utilities for
backing up anything you might need if you do something dumb (a far more
likely proposition than having it stolen).
None of these machines have encrypted root, only partitions where data
is stored (including swap). Encrypted root appears to require quite a
bit of additional futzing around to make it work.
The big save for me is the remote keyserver. The only machine that has a
human friendly passphrase is my laptop.
Recognising that the threat is physical theft, it's been an interesting
excersize in "how can I achieve this" without having to :
(a) remember a long passphrase
(b) use manual intervention to unlock after a power failure (or kernel
(c) guarantee that there is nothing that can be stolen with the machine
that can be used to unlock it
I suppose if I got really, really paranoid I could tie my alarm system
to the EPO on the UPS's, but then I'd end up rebooting every time the
wife forgot to put the dog outside before arming!
More information about the plug