Encrypted partition backups.

Robin Laing Robin.Laing at drdc-rddc.gc.ca
Thu Jan 15 19:33:51 UTC 2009 

Bruno Wolff III wrote:
> On Wed, Jan 14, 2009 at 10:31:53 -0700,
>   Robin Laing <Robin.Laing at drdc-rddc.gc.ca> wrote:
>> Encryption to the level of encrypted home directories isn't being used  
>> yet.  I asked them if they had any ideas and we agree that for  
>> incremental backups, a block diff would have to be done.  Of course,  
>> depending on the size of the partition, this could take some time.  I  
>> don't know.
> 
> It's possibly too late for this, but what threat are you trying to counter
> by encrypting by home directores?
> 
> Encrypting by partition and leaving them mounted all of the time would allow
> administrator access for making incremental backups. Most likely your admins
> are already trusted, as they could steal the passphrases needed to unlock the
> home directories my modifying the program that prompts for passwords or
> pulling keys out of memory. So encrypting home directories to prevent their
> access shouldn't be needed from a security perspective. There could be
> regulatory reasons you might have to do things that way.
> 
> If you are trying to protect the users from accidentally letting other users
> see their stuff, there are probably other ways to do this without causing
> problems for making backups.
> 
> 

It is an array of issues.

As simple as preventing someone from seeing the files indirectly to the 
requirement for full encryption beyond just file encryption (PGP or 
TrueCrypt).

In some cases, there may be two or even three levels of encryption being 
used.  Sorry but I cannot go into details than there is a requirement. 
There is a chance that laptops can be lost/stolen. I do understand that 
in most cases, the drives will be formatted and just sold to run Windows 
on but if they are stolen/hacked for other reasons, then layers of 
protection need to be in place.  It is like having a firewall at the 
gateway to the Internet and then having a second firewall on the 
computer for a second layer of protection.

In some cases, due to shared work spaces and shared computers (I love 
our tight economy) there is also a need for increased levels of 
security.  At present, our home directories are mounted at login already 
on desktops, to allow sharing between work stations so this is part of 
the present domain.  Encryption is just adding to this.

We could look at a backup routine that only backs up at times that users 
are logged into the network but this could hit the network at its 
busiest times.


-- 
Robin Laing

More information about the fedora-list mailing list