[Dshield] data storage encryption
areust at comcast.net
Thu Jun 9 01:59:30 GMT 2005
This is quick and for some would seem fairly obvious without all the details.
Generally the encryption "agent" should be the same on both the source and
the storage. So if you mix Win with Nix you could run into recovery
problems. You also run the risk of the business not trusting you... YOU
hold the "only" key to their business...
Most competent encryption software have the user (which encrypts the
original data) and a recovery agent (administrator should the user forget
the password/phrase). This allows multiple chances should something happen.
You are relying on one hard drive to protect data to be stored on another
hard drive. While the odds of both failing are slim, many could tell of
coincidence and that backups failed because of (fill in the blank)...
Security is currently littered with missing/lost off site backups. Not much
is mentioned as to the encryption method used to protect the backups in
transit. NO UPS does not stand for Unbelievably Poor Service... LOL
Whatever method is used the client(workstation) has to be able to decode
the encrypted data to put the business back in operation. IF it is double
encrypted for off site storage then that is another matter. What happens if
the company decides that they no longer want your services... They need
access to the second decryption device and the master password, that could
a sealed envelope stored in a safety deposit box. This places you above
board and out of legal battles...
CD and DVD have taken a hit over deterioration (ten years/less). Tapes well
we all know that tapes fail...
Some companies are faced with restoring backup to drive media and then re
archiving mandatory data.
Hard drive to hard drive is great for immediate restoration. CD/DVD is
great for larger long term... Storage and power for at risk components and
storage for archive media...
So a second Hard drive and DVD in a Fireproof safe helps in case of fire
that topple the local machine and you could recommend that in the same
close off site storage a duplicate of the machine less the hard drive could
be ready incase of emergency... This all depends on what they know they
could lose per hour/day/week while rebuilding their business.
TEST YOUR BACKUPS!
At 07:53 PM 6/8/2005 +0200, you wrote:
>I have to create a system to encrypt data contained in a storage server,
>the procedure will be:
>-extract the data from source server in a HD
>-insert the HD in the storage server
>-power on the server
>-copy the data
>-shut down the server
>This process should be as automatic as possible, only requiring the
>insertion of the HD in the system.
>The data should be encrypted once in the server.
>My suggestion is to install linux with dm-crypt, and make a script that
>mount the encrypted volum at the startup, copy the data and shutdown the
>The problem I see in my way it's the automatism of it, because I should
>retain key/password to encrypt in any part of the script, so if anyone
>has the server only should turn on.....
>I thought a solution, make a Livecd with the linux and the key inside,
>and never has the server and the cd together without supervision.
>Of course maybe this method is a great stupid way of do it.
>I appreciate any suggestion to solve the problem or modify that I thought.
>Suggestions on cipher algoritm will be welcome too.
>Thanks a lot
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
More information about the list