Bobinas P4G
  • Login

  • Public

    • Public
    • Groups
    • Popular
    • People

Conversation

Notices

  1. Dan Langille (dvl@mastodon.social@mastodon.social)'s status on Saturday, 07-Sep-2019 19:11:37 UTC Dan Langille Dan Langille
    • Dan Langille

    Full disk encryption gives peace of mind if your computer goes missing and reduces anxiety about throwing out old hard drives or computers.

    In conversation Saturday, 07-Sep-2019 19:11:37 UTC from mastodon.social permalink
    • Ruby Rhod repeated this.
    • Ruby Rhod (feld@bikeshed.party)'s status on Saturday, 07-Sep-2019 19:13:12 UTC Ruby Rhod Ruby Rhod
      in reply to
      • Ruby Rhod
      @dvl also recommend it on every server. Never worry about what happens with your company's data when you RMA a disk. Also saves your butt when reusing drives that were improperly wiped and might have traces of an old ZFS label with the zpool name "zroot" or "tank".... fixing that can lead to dangerous mistakes.
      In conversation Saturday, 07-Sep-2019 19:13:12 UTC permalink
    • Ruby Rhod (feld@bikeshed.party)'s status on Saturday, 07-Sep-2019 19:42:58 UTC Ruby Rhod Ruby Rhod
      • Ruby Rhod
      • igor
      @hirojin @dvl with a passphrase of course, but that's what gets tricky.

      Every physical box should be fully encrypted. and you should NEVER remotely reboot a server without known working console/serial console/ipmi/whatever access.

      Instead of storing the crypto passwords write a tool for your team that auto-generates the FDE passphrase based on system hostname and the service tag and some salt that only your team members know. This way it should be easy to write the script from memory if you lost access to it.

      $ /tmp/fdepass.sh -h bikeshed.party
      Generating password for bikeshed.party
      Please enter the service tag: abc123
      YTFk-MWEy-MGFk

      This is what i did @ a previous job but i don't know if the team kept up with it. Made it super easy to have FDE passphrases without a password manager that can be compromised. It requires an awful lot of information that an attacker would need to know to decrypt the drive AND they'd need physical access to the server anyway.

      If somehow one drive was brute forced it doesn't let them decrypt any drives from your other servers.

      Remember, you don't need to encrypt the VMs or containers themselves, just the physical hardware they're running on -- whether that be the server itself or the SAN/NAS where the data storage lies.
      In conversation Saturday, 07-Sep-2019 19:42:58 UTC permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • Privacy
  • Source
  • Version
  • Contact

Bobinas P4G is a social network. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All Bobinas P4G content and data are available under the Creative Commons Attribution 3.0 license.