Join Log in
Score:1
avatar Ubuntu

How do I Effectively Implement Encryption?

ng flag
RKillcrazy

It sounds like an odd question but, I've always worried about encrypting something and then losing the keys to get it back. I use MFA, good password policies, etc. I run regular [local] backups. I feel like the only thing I'm not doing is encrypting my data. (This is the main reason I don't do a lot of remote backups; I want my data to be encrypted before sending it off-site.) The only reason I've not done so is my fear of losing the data one day. Losing MP3s is on thing; I can always rip my old CDs again. However, I have family photos and videos that can never be reproduced.

I know I can install drives and encrypt them. I know I can install the OS and encrypt the whole drive during setup. Encrypting the data isn't the issue... My issue is: How do you deal with keeping the keys to the castle safe? What are the SOPs? What are things you've tried? What doesn't work or is not a good idea? We've enabled BitLocker at work and the keys are stored in AD but, that's how Windows handles it. What do we do in the Ubuntu/Linux world?

In my own testing, I had built a QEMU VM for testing the ability to recover files from an encrypted system via the Live CD but, it failed to allow me to recover my test files. Yes, I had enabled the Universal repo and installed ecryptfs-utils. However, when I went to browse the files, it would not unlock the disk when I dropped in my passphrase - that worked fine to unlock the disk during normal boot. I'm guessing I did something wrong in the Live environment so I'm rebuilding the VM just to be sure.

39
0 + 5
ru flag
Thomas Ward
Backing up your encryption keys securely are going to be key, and then keeping them safe. I keep my encryption keys for systems on hardware-encrypted USB sticks like the Aegis SecureKey USB sticks, and then that in my gun safe which is locked to my code. One of the people I know keeps 'keys to the kingdom' recovery keys on a USB hard drive (in triple copies, so there's 3 drives) in a fireproof lockbox in their rack at the datacenters. It really depends on what you choose to do there. (Bitlocker and AD integration is... a bit more unique with KMS.)
2
Reply
ng flag
RKillcrazy
I was always told that USB sticks are not backup devices. Then again, CDs & DVDs can degrade or fail too so, I guess one needs to make up their own mind what constitutes as a backup. I suppose one could type and print the codes and store them in a safe as well. But, how many layers of security do you need? How far out of your bubble to you protect yourself? "What if the house burns down?" "What if someone steals the safe?" "What if...." These are the things that work their way into my mind when trying to figure out all the points of failure.
0
Reply
Sebastian avatar
in flag
Sebastian
All storage media can fail, so can online backups, but if you have two USB sticks (or memory cards), one at home (separate from your PC in case that fails), one say at the office (in case the house burns down), and another backup online, it is _very_ unlikely that all three fail at the same time. That's the same principle applied in any safety-critical field - redundancy. And when I encrypt my backup media well, I don't even have to worry about them being stolen. But no matter what you do, you will have to keep at least one reasonably strong password committed to memory.
0
Reply
ru flag
Thomas Ward
@RKillcrazy as a Security person myself, in the ITSec world, the 'layers of protection' and 'layers of backups' is entirely dependent on you or your company's level of paranoia and what *they* mandate for policy. "How many layers" as such is too broad to be answered here.
0
Reply
ng flag
RKillcrazy
So, you guys feel my pain and understand what's going through my head. I guess it all boils down to duplicate copies of the keys in multiple locations. Having worked as a Sys-Admin for almost 20 years, we've always said a DR plan is only as good as the times you put theory into practice. Meaning, you have to test your backups and your recovery strategy now and then. So, from the looks of things, there is no silver bullet; you just have to make copies of keys and hope nobody gets them and hope that I never end up senile enough to forget the password into my safe.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.