FrHackNight013
|
- off-site secure storage
ptr_'s idea of off-site secure storage:
client (ecryptfs, nfs-client,vpn) + (vpn-enabled) NAS/fileserver
workflow
- decrypt config files (0)
- connect to VPN (config file on usb, keys, password) (1)
- mount the network storage (nfs or samba) -- over the vpn (2)
- mount the ecryptfs stackable filesystem (encrypts everything before saving to underlying storage -- in this case the nfs) (3)
(0) config files needed for VPN and network storage etc encrypted on disk
decrypted by the user when needed. (eg bcrypt, gpg or other commandline tool)
(config+scripts: vpn, armed firewall, smb/nfs, ecryptfs)
(1) vpn: to be sure you are communicating only within authenticated parties this is true ONLY IF the storage device is physically secured: if attacker has copy of the private keys on the NAS, he can fake it! but attacker still only has access to encrypted data + but can try to break in your pc through vpn tunnel (blocked by firewall)
(2) smb,nfs: connect to network storage server it does not provide user authentication, nor access control -- only network filesystem
(3) ecryptfs : encrypt all data before leaving the pc everything saved on this mount is encrypted before it is saved onto underlying fs -- in our case the network storage in (2) needs some config parameters when mounting (mount point, crypto algo, etc) -- preferably stored in script cfr (0).