[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Encrypted partition backups.



Bruno Wolff III wrote:
On Wed, Jan 14, 2009 at 10:31:53 -0700,
  Robin Laing <Robin Laing drdc-rddc gc ca> wrote:
Encryption to the level of encrypted home directories isn't being used yet. I asked them if they had any ideas and we agree that for incremental backups, a block diff would have to be done. Of course, depending on the size of the partition, this could take some time. I don't know.

It's possibly too late for this, but what threat are you trying to counter
by encrypting by home directores?

Encrypting by partition and leaving them mounted all of the time would allow
administrator access for making incremental backups. Most likely your admins
are already trusted, as they could steal the passphrases needed to unlock the
home directories my modifying the program that prompts for passwords or
pulling keys out of memory. So encrypting home directories to prevent their
access shouldn't be needed from a security perspective. There could be
regulatory reasons you might have to do things that way.

If you are trying to protect the users from accidentally letting other users
see their stuff, there are probably other ways to do this without causing
problems for making backups.



It is an array of issues.

As simple as preventing someone from seeing the files indirectly to the requirement for full encryption beyond just file encryption (PGP or TrueCrypt).

In some cases, there may be two or even three levels of encryption being used. Sorry but I cannot go into details than there is a requirement. There is a chance that laptops can be lost/stolen. I do understand that in most cases, the drives will be formatted and just sold to run Windows on but if they are stolen/hacked for other reasons, then layers of protection need to be in place. It is like having a firewall at the gateway to the Internet and then having a second firewall on the computer for a second layer of protection.

In some cases, due to shared work spaces and shared computers (I love our tight economy) there is also a need for increased levels of security. At present, our home directories are mounted at login already on desktops, to allow sharing between work stations so this is part of the present domain. Encryption is just adding to this.

We could look at a backup routine that only backs up at times that users are logged into the network but this could hit the network at its busiest times.


--
Robin Laing


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]