In X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/68
Nikita ([EMAIL PROTECTED]) writes:
> I have a root account's password guarded, and fixed the security of
> the systems generally. Now, how do I encrypt my backup tapes?
Are you sure you want to bother encrypting tapes _specifically_ ?
Have you thought about how much extra time it will take ?
Could be a _lot_.
Are your tapes stored off-site ? (Like you want to reinforce the
confidentiality of the guards who take your tapes to their store ?)
If all tapes are stored locally, and a bad guy gets physical access to
your system, tape-only crypto gets close to a waste of time.
Although encrypting backups sounds like a role for public-key crypto
be aware that PGP (pgp2.6.* anyway) does not do true filtering, but writes
a (potentially huge) temp file. This may be enough to prevent you from
completing the backup, even ignoring the time taken.
One good plan is to use something like CFS, which keeps the files
encrypted on your disk and decrypts them in use with an NFS-like
interface. Because only cyphertext lands on the disk (bar swap) all
your backups of those directories are encrypted without extra
cpu-consumption at backup (or restore) time. And you have the same
protection for missing disks as you do for missing tapes. (Now if you
had a lorry-load of Micropolis 4221's a few years back you'll know the
advantage of that. I was returning them to the vendor the same week.
And the replacement ....)
CFS is on ftp.replay.com (cfs-1.3.3bf), initially by Matt Blaze.
CFS covers major cyphers including DES, and a choice of multipass modes
built for speed (although the slowdown vs plaintext e2fs is obvious).
There's a similar product by Ian Goldberg that can use a loopback
filesystem. This has the effect that your encrypted filesystem lives
in a file and it helps in preparatory testing should you want to burn
an encrypted CD.
Of course your keys want to be accessible with similar reliability to the
tapes themselves (while remaining well-guarded). Availability and
confidentiality are both equally ingredients of security. CFS uses a
passphrase (defined for each directory tree placed under CFS).
Finally, this is not exactly a redhat question. My website mentions
some lists that are probably more suitable.
--
##############################################################
# Antonomasia [EMAIL PROTECTED] #
# See http://www.notatla.demon.co.uk/ #
##############################################################
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
