USB HDD with Loop-AES/LUKS
I've been experimenting with Loop-AES and LUKS for a few weeks now.
For test purposes, I setup a RAID-1 array. The array is encrypted with LUKS, and then a Loop-AES system sits on top of that.
Basically, I have a mount script I wrote that asks for both passwords then mounts the volume in /mnt where I can access it like a regular drive.
My goal: To do this with the external USB HDD, and keep the LUKS and Loop-AES keys on a CD in my SCSI CD drive, so it automatically mounts on boot. The contents of the drive is needed by apache, so it has to automatically mount during boot somehow.
I figure I can achieve the auto mount part by writing up an init script to mount it with the key files off the CD.
I know it's probably pointless to use both LUKS and Loop-AES for this, but if at all possible, I'd like to. I don't see why it wont work, it works with the internal RAID-1 array.
Nothing on the drive is actually of any security concern, it's simply the fact that too many people are probably crazy enough to come through the window to get it, so I want to make double sure if that does happen they have a useless drive. It hosts my media library, which I can VPN into from my phone. Auth over SSL over VPN tunnel. I'm always a bit paranoid...
So far, the pros & cons list:
+ Stealing the drive leaves the thief with nothing
+ Makes it less tempting to steak knowing its useless
+ If someone tries to copy the data off it while its connected, unmount/kill power.
+ CD can be removed and securely stored after boot.
- CD has to be in for boot
- Slower than just reading/writing to the drive
- More CPU load
Anyone care to chip in with comments/advice?
Well, just in other case(if you stored there something else than stolen music/videos/whatever you have there now).
CD can be stolen(or "kindly" asked to be given).
Apache has access? Anyone has access then. Encryption is usually meant for something that is for eye-reading only, some passwords, confidential documents, etc that is transferred by-hand and irregularly.
Also this is all partially remains in RAM/swap: how is that safe? It's safe when your entire system works in encrypted environment. Or it is said it's safe because safe is when the power cord disconnected :)
Don't abuse your CPU/RAM/hw resources for nothing and forum members time, unless you have a reason. Storing pirated music is not really a reason to post in Security.
Local security consists of an encrypted system as is, and apache is only accessible via localhost or VPN. Everything is firewalled, VPN restricted to certain IPs. Outside security is fairly strong.
Only issues are physical entry in which case a power cut solves all the problems, plus I don't ever leave the box logged in when I'm not around it. CD will be stored somewhere where it won't easily be found, and I won't fork it over easily if it comes down to that.
My media collection is rather large, and unfortunately too many people have seen me pull it up on my phone/laptop and know I have it stored at home.
|All times are GMT -5. The time now is 02:34 PM.|