View previous topic :: View next topic |
Author |
Message |
tsftd n00b
Joined: 21 May 2011 Posts: 20 Location: Here
|
Posted: Fri Oct 17, 2014 3:27 am Post subject: Appropriate encrypted disk setup for my usage |
|
|
Hi all, I've been using gentoo forever but I'm finally starting to get serious about data security. My usage situation is:
gentoo server used as a SAN (and router and server) --> SAMBA --> Windows 8.1 client mounts shared drive
gentoo server uses a small dedicated disk for /, and a large raid 10 array for /storage.
Assume that my security is configured appropriately, such that intrusion into the server and/or network is not a concern (eg, data in transit need not be encrypted). Further assume that both server and client are locked when I am absent. I wish to guard against the case of intrusion and/or seizure while I am absent. Also assume that I will be manually entering the password to decrypt and mount the /storage drive.
What is my best method for encrypting my storage array? Most tutorials/articles that I have seen are on encrypting the boot drive. Unless there is a need to, I don't see any reason for me to encrypt / -- just /storage. Which means that I don't have to boot from an encrypted drive, and thus the setup should be vastly easier. Unless not encrypting the / drive somehow makes me vulnerable to having my /storage compromised (again, keeping in mind that I won't be storing the password, but entering it manually).
Also, is there anything particularly tricky that I need to watch out for, moving into encrypted data?
Cheers! |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Fri Oct 17, 2014 10:22 am Post subject: |
|
|
The keywords are lvm and Luks. There should be for sure an article on the gentoo wiki.
i use it myself for over 4 years successfully.
in short:
512mb ext2 /boot with kernel with initramfs from genkernel using luks / lvm
lvm container with luks inside, and luks for everything except /boot
you still have security issues with mainboard components including hard and software and any other hardware with hidden backdoors in hardware or software. this is very hard to fix because you buy hardware from certain sourrces and you will never know if there are backdoors in it / security holes / ... it is an endless topic, just a small summary of my understanding |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Fri Oct 17, 2014 11:18 am Post subject: Re: Appropriate encrypted disk setup for my usage |
|
|
tsftd wrote: | I wish to guard against the case of intrusion and/or seizure while I am absent.
Unless there is a need to, I don't see any reason for me to encrypt / -- just /storage. |
If you don't encrypt everything, you have to watch out for leaks. If you have for example pictures in /storage, and some picture viewer creates thumbnails for them in /home/you/.config/pictures/. Also the filenames of encrypted storage could be leaked by locate/updatedb kind of services. It's a headache.
That might still be fine if all you worry about is a common burglar who enters your home and takes your precious hardware... however, it doesn't hold water against a tech savvy person who somehow manages to change your unencrypted /boot or / in your absence without you knowing. They can just copy your encrypted data, add in a backdoor/keylogger and have your passphrase the next time you type it in. It's very hard to prevent an intruder who has physical access to your hardware.
Personally, I encrypt everything; and my /boot is a USB stick with encrypted keyfiles on it, so an attacker would need both the keyfile and the passphrase for it. The USB stick goes into your pocket and stays with you wherever you go, so it can't be modified in your absence... it's not much better, but it's something. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|