I got a good security one more ya.

Harijs Buss harijs at info-shelter.net
Fri Mar 31 16:33:03 UTC 2006 

On Friday 31 March 2006 18:49, Kent Borg rakstija:
> If you do have a good key and encryption, if you lose your key, 
> you are completely hosed.  There is no key recovery if you have 
> a secure  system.

Yep. That's the point :-)

> Disclaimer 1: I have not experimented with corrupting encrypted data
> and seeing what happens and how lethal it is.  It might not be as bad
> as I suggest, or it might be worse.

Some time ago I started to use external USB enclosures with IDE disks as 
backup devices. (Yeah, I know, but this is better than nothing anyway :-)  
Enclosures are "rotated" according to usual backup scheme. Only one of these 
devices are at the same time near backup source, the rest of them are kept 
off-site. Files on enclosure disks are synced with original ones using group 
of rsync commands. File system is XFS encrypted by AES method with 1024 bit 
key.  (This was done in another distro but probably there are no big 
differences).

Naturally I wanted to know what will happen if, for example, suddenly USB 
cable will be pulled out in the middle of big writing.  So I did try that :-)  
because in the worst case I simply would have to re-format the drive and 
re-write the info which is available.  Sure my 3 attempts can not count as 
"scientific experiment" but they give some impression anyway.  All three 
times after re-boot (to get rid of any buffered info) and re-connecting 
enclosure I was able to mount it as read-only and get off all files except 
one which was in writing process when USB cable was plugged out. One of my 
colleagues who made similar experiment, in one case could not mount the disk 
and therefore could not get anything out because of encryption. In all cases 
specific XFS utility programs could not do anything to repair file system, so 
I had to re-format partition and write all info that should be there. 

Encrypted file systems can be used quite easily but people should really 
understand that exactly because of good encryption it would be impossible to 
de-crypt info when key is lost. Any tech glitch can also lead to 
inaccessibility of info.  

But hey, we all make regular backups, don't we?  :-)

Harijs

More information about the ubuntu-users mailing list