Encrypting Your Files. Because nobody else will And would you trust them if they did?



Similar documents
On Disk Encryption with Red Hat Enterprise Linux

Installing Ubuntu LTS with full disk encryption

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

LVM2 data recovery. Milan Brož LinuxAlt 2009, Brno

USTM16 Linux System Administration

Disk encryption... (not only) in Linux. Milan Brož

Redundant Array of Inexpensive/Independent Disks. RAID 0 Disk striping (best I/O performance, no redundancy!)

Replacing a Laptop Hard Disk On Linux. Khalid Baheyeldin KWLUG, September 2015

Navigating the Rescue Mode for Linux

Everyday Cryptography

Planning for an Amanda Disaster Recovery System

USB Bare Metal Restore: Getting Started

BackTrack Hard Drive Installation

PA-5000 Series SSD Storage Options Configuring RAID and Disk Backup

Data storage, backup and restore

Acronis Backup & Recovery 10 Server for Linux. Command Line Reference

Using Network Attached Storage with Linux. by Andy Pepperdine

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Linux Backups. Russell Adams Linux Backups p. 1

4PSA Total Backup User's Guide. for Plesk and newer versions

Rsync: The Best Backup System Ever

ucloud server User Guide v3.0 ( )

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

Understanding Core storage, logical volumes, and Fusion drives.

BackupAssist v6 quickstart guide

RapidSeed for Replicating Systems Version 7.4

File Protection using rsync. Setup guide

Encryption Security Recommendations

CHAPTER 9 System Backup and Restoration, Disk Cloning

Shared Storage Setup with System Automation

WES 9.2 DRIVE CONFIGURATION WORKSHEET

How To Manage Your Volume On Linux (Evms) On A Windows Box (Amd64) On A Raspberry Powerbook (Amd32) On An Ubuntu Box (Aes) On Linux

SmartSync Backup Efficient NAS-to-NAS backup

BackupAssist v6 quickstart guide

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

System Administration. Backups

SUSE Manager in the Public Cloud. SUSE Manager Server in the Public Cloud

NAS 259 Protecting Your Data with Remote Sync (Rsync)

How to Backup XenServer VM with VirtualIQ

Do it Yourself System Administration

Restoring a Windows 8.1 system from complete HDD failure - drivesnapshot

PostgreSQL Backup Strategies

Ubuntu Professional Training Course Overview (E-learning, Ubuntu LTS)

Rsync based backups. Rsync is essentially a directory syncing program.

RecoveryVault Express Client User Manual

GostCrypt User Guide. Laboratoire de Cryptologie et de Virologie Opérationnelles - France

Cloud Attached Storage

GROUP TEST. Encryption. On Test. You ll find lots of encryption software in your distribution s package repository

Oracle VM Server Recovery Guide. Version 8.2

Kaseya 2. User Guide. Version 7.0. English

Exporting s from Outlook Version 1.00

BACKUP YOUR SENSITIVE DATA WITH BACKUP- MANAGER

Backing Up Your System With rsnapshot

User Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)

Online Backup Linux Client User Manual

Online Backup Client User Manual

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

Other trademarks and Registered trademarks include: LONE-TAR. AIR-BAG. RESCUE-RANGER TAPE-TELL. CRONY. BUTTSAVER. SHELL-LOCK

CloudBerry Dedup Server

Last modified: September 12, 2013 This manual was updated for TeamDrive Personal Server version

Installation and Setup: Setup Wizard Account Information

Acronis True Image 2015 REVIEWERS GUIDE

PGP Desktop Quick Start Guide version 9.6

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

CS615 - Aspects of System Administration

Connectivity using ssh, rsync & vsftpd

Acronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide

2.8.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 16

Step One: Installing Rsnapshot and Configuring SSH Keys

WARNING!!: Before installing Truecrypt encryption software on your

FileCruiser Backup & Restoring Guide

A SHORT INTRODUCTION TO DUPLICITY WITH CLOUD OBJECT STORAGE. Version

1. Product Information

Online Backup Client User Manual Linux

Adaptable System Recovery (ASR) for Linux. How to Restore Backups onto Hardware that May not be Identical to the Original System

Cumulus: filesystem backup to the Cloud

CA arcserve Unified Data Protection Agent for Linux

Linux Disaster Recovery best practices with rear

Linux Filesystem Comparisons

Week Overview. Running Live Linux Sending from command line scp and sftp utilities

Automating the deployment of FreeBSD & PC-BSD systems. BSDCan Kris Moore PC-BSD / ixsystems kris@pcbsd.org

HOW ENCRYPTION WORKS. Introduction to BackupEDGE Data Encryption. Technology Overview. Strong Encryption BackupEDGE

Linux Software Raid. Aug Mark A. Davis

Adobe Marketing Cloud Using FTP and sftp with the Adobe Marketing Cloud

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

How To Set Up Software Raid In Linux (Amd64)

Backup Software Comparison Table

Recommended Backup Strategy for FileMaker Server 10 and 11 for Macintosh & Windows Updated September 2010

Linux Powered Storage:

Jetico Central Manager. Administrator Guide

For Hyper-V Edition Practical Operation Seminar. 4th Edition

Yiwo Tech Development Co., Ltd. EaseUS Todo Backup. Reliable Backup & Recovery Solution. EaseUS Todo Backup Solution Guide. All Rights Reserved Page 1

Installing Debian with SATA based RAID

Transcription:

Encrypting Your Files Because nobody else will And would you trust them if they did?

Why? Sensitive personal information NSA Identity thieves

Linux Disk Encryption Dm-crypt is default under Linux Full file systems Partial file systems with loop-back device LUKS Easier to use More options Supports TrueCrypt volumes

Linux Unified Key Setup Extends the dmcrypt program Encrypts the partition BEFORE the file system is created Works with LVM and RAID partitions Almost the whole disk (still need /boot) Or just specific partitions (sda2, sda5, etc.) Multiple passphrases for each container Built into many installers

Issues Everyone knows you have an encrypted partition Have to provide a passphrase on boot This can be inconvenient at times No in-place encryption Pre-existing data will NOT be removed/encrypted Effectiveness on SSD not yet clear Especially if you don't encrypt on initial install

Important Points Difference between passphrase and master key Difference between container, partition, and file system Encryption won't protect you from a disk crash Disk encryption only really protects your data when the system is off Entropy on system during initial setup Master key and passphrase hash iterations LUKS header (first 2 MB on disk)

Setting up encrypted file system Create the partition (fdisk, parted) Wipe the disk shred -v --iterations=1 /dev/$device Create the container cryptsetup --verbose --verify-passphrase luksformat /dev/ $DEVICE Open the container cryptsetup open /dev/$device $NAME --type luks Provide passphrase when prompted

Other option: cryptsetup luksopen Verify, just to be sure ls -l /dev/mapper/$name../dm-# Create the filesystem mkfs -t {ext3/4/btrfs} /dev/mapper/$name Edit /etc/crypttab $NAME /dev/$device {-,none,/password/path} options Last 2 columns are optional Device can be specified by UUID, disk-by-id Options include: luks, noauto, nofail, swap, size=, timeout=

Edit /etc/fstab /dev/mapper/$name /mount/point FSTYPE defaults,nofail,noauto,users,{others} 0 2 fsck can't run until the container has been opened Mount the filesystem mount /mount/point

cryptsetup commands luksformat /dev/$device open /dev/$device $NAME {--type luks} close $NAME status $NAME lukssuspend $NAME luksaddkey /dev/$device luksremovekey /dev/$device

luksdump /dev/$device --dump-master-key luksheaderbackup /dev/$device --headerbackup-file /path/to/file luksheaderrestore /dev/$device --headerbackup-file /path/to/file benchmark DEMO

What about backups? Encrypted file systems don't protect you from failed disks If your data is important enough to encrypt on a live system, you should protect the backups For best protection, your backups should be at a second site

duplicity Built on python Encrypts using gnupg rsync like backups (block level changes) Also compresses files during backup Maintains 2 copies of the database Uses relative path within backups/restores Uses multiple back ends to transfer files to remote location

Backends: Amazon web service Google cloud storage Google docs Rackspace Dropbox rsync ftp(s) ssh/sftp/scp (2 different backends) Ubuntu One

Supports both symmetric and public key encryption (or no encryption, if desired) Local database files are NOT encrypted Full vs. incremental backups Multiple named backups Deletion of old backups Restore to point in time, not just most recent Can sign encrypted backups with 2 nd key Can include/exclude files from backup Creates 25MB volumes by default

Lessons Learned Full backups support BOTH symmetric passphrase and public keys, but incremental backups do not Put /tmp on a tmpfs, rather than disk, to increase speed Requires more disk space for restores than for backups

Symmetric Encryption PASSPHRASE=XXXXXXXXXX export PASSPHRASE duplicity --archive-dir /archive --name remotenet --ssh-backend pexpect /home/ $USER sftp://user@remote/relative/path

Public Key Encryption duplicity archive-dir /archive -name remotenet encrypt-key 08114727 --ssh-backend pexpect --ssh-option="-l900" /home/$user sftp://user@remote/relative/path This command demonstrations the use of SSH options, in this case, limiting network band width, during the sftp backup

DEMO

Questions??

This presentation has been brought to you by the revelations of Edward Snowden. If you would like to help, go to https://petitions.whitehouse.gov/petitions, search for Edward Snowden, and sign the petition asking for a pardon.