[Dshield] data storage encryption

Suscripcions tsolucio suscripcions at tsolucio.com
Thu Jun 9 08:13:18 GMT 2005

Thanks for your answer, I apreciate it a lot, in the general context of
backups, but I think the answers are going in other way, the offsite,
fireproof, long therm storage, bussiness relations, etc... Are covered,
the recuperation agent will be determined based in the encryption
I don't want any legal problem if the client stop working with us, so I
will prepare all to prepare this incovenience.

After that, I will explain a bit how works, and the motivation of the
question here, to clarify all the theme.
Data is gathered---processed--(when they finish)stored in a trust

They have all the data duplicated in the work server and the storage
server, if no virus incidence was occured in the 24h after a backup, the
data is passed to trust server. In the trust server they need assurance
of no virus is in it.
The way trasnfering the data is with a "HD extraible" (don't know the
english word), the client only asked me how make the process of coping
the data in the trust server automatic.
My surprise was when I see the trust server, windows 98, and the process
copy: a bat archive. No comment......
Of course I said to the client that I could improve that for automate
My original think was to install a linux that start-copy-shut down.
But how doing a encrypted partition isn't much more work, why not?
The only problem was my original question: how store securly the key to
automate it.
I wish not being too much extend in my explanation.
Thanks for your time.

El mié, 08-06-2005 a las 18:59 -0700, Al Reust escribió:
> Isaac
> This is quick and for some would seem fairly obvious without all the details.
> Generally the encryption "agent" should be the same on both the source and 
> the storage. So if you mix Win with Nix you could run into recovery 
> problems. You also run the risk of the business not trusting you... YOU 
> hold the "only" key to their business...
> Most competent encryption software have the user (which encrypts the 
> original data) and a recovery agent (administrator should the user forget 
> the password/phrase). This allows multiple chances should something happen.
> You are relying on one hard drive to protect data to be stored on another 
> hard drive. While the odds of both failing are slim, many could tell of 
> coincidence and that backups failed because of (fill in the blank)...
> Security is currently littered with missing/lost off site backups. Not much 
> is mentioned as to the encryption method used to protect the backups in 
> transit. NO UPS does not stand for Unbelievably Poor Service... LOL
> Whatever method is used the client(workstation) has to be able to decode 
> the encrypted data to put the business back in operation. IF it is double 
> encrypted for off site storage then that is another matter. What happens if 
> the company decides that they no longer want your services... They need 
> access to the second decryption device and the master password, that could 
> a sealed envelope stored in a safety deposit box. This places you above 
> board and out of legal battles...
> CD and DVD have taken a hit over deterioration (ten years/less). Tapes well 
> we all know that tapes fail...
> Some companies are faced with restoring backup to drive media and then re 
> archiving mandatory data.
> Hard drive to hard drive is great for immediate restoration. CD/DVD is 
> great for larger long term... Storage and power for at risk components and 
> storage for archive media...
> So a second Hard drive and DVD in a Fireproof safe helps in case of fire 
> that topple the local machine and you could recommend that in the same 
> close off site storage a duplicate of the machine less the hard drive could 
> be ready incase of emergency... This all depends on what they know they 
> could lose per hour/day/week while rebuilding their business.
> R/
> Al
> At 07:53 PM 6/8/2005 +0200, you wrote:
> >I have to create a system to encrypt data contained in a storage server,
> >the procedure will be:
> >-extract the data from source server in a HD
> >-insert the HD in the storage server
> >-power on the server
> >-copy the data
> >-shut down the server
> >
> >This process should be as automatic as possible, only requiring the
> >insertion of the HD in the system.
> >The data should be encrypted once in the server.
> >My suggestion is to install linux with dm-crypt, and make a script that
> >mount the encrypted volum at the startup, copy the data and shutdown the
> >computer.
> >The problem I see in my way it's the automatism of it, because I should
> >retain key/password to encrypt in any part of the script, so if anyone
> >has the server only should turn on.....
> >I thought a solution, make a Livecd with the linux and the key inside,
> >and never has the server and the cd together without supervision.
> >Of course maybe this method is a great stupid way of do it.
> >I appreciate any suggestion to solve the problem or modify that I thought.
> >Suggestions on cipher algoritm will be welcome too.
> >Thanks a lot
> >-------------- Sponsor Message ------------------------------------
> >Join us at SANSFIRE 2005 in Atlanta!
> >The Internet Storm Center Conference.
> >Details: http://www.sans.org/sansfire2005
> >
> >_______________________________________________
> >send all posts to list at lists.dshield.org
> >To change your subscription options (or unsubscribe), see: 
> >http://www.dshield.org/mailman/listinfo/list
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Suscripcions tsolucio <suscripcions at tsolucio.com>

More information about the list mailing list