From Hackerspace Brussels
Jump to: navigation, search

Fri 12 Mar 2010 19:00
till Fri 12 Mar 2010 23:59
What ??
whatever your obsessed with for the moment
HSB Brussels,Belgium
ptr_, You ??
  • off-site secure storage

ptr_'s idea of off-site secure storage:

client (ecryptfs, nfs-client,vpn) + (vpn-enabled) NAS/fileserver


  • decrypt config files (0)
  • connect to VPN (config file on usb, keys, password) (1)
  • mount the network storage (nfs or samba) -- over the vpn (2)
  • mount the ecryptfs stackable filesystem (encrypts everything before saving to underlying storage -- in this case the nfs) (3)

(0) config files needed for VPN and network storage etc encrypted on disk decrypted by the user when needed. (eg bcrypt, gpg or other commandline tool) (config+scripts: vpn, armed firewall, smb/nfs, ecryptfs)

(1) vpn: to be sure you are communicating only within authenticated parties this is true ONLY IF the storage device is physically secured: if attacker has copy of the private keys on the NAS, he can fake it! but attacker still only has access to encrypted data + but can try to break in your pc through vpn tunnel (blocked by firewall)

(2) smb,nfs: connect to network storage server it does not provide user authentication, nor access control -- only network filesystem

(3) ecryptfs : encrypt all data before leaving the pc everything saved on this mount is encrypted before it is saved onto underlying fs -- in our case the network storage in (2) needs some config parameters when mounting (mount point, crypto algo, etc) -- preferably stored in script cfr (0).