On Wednesday 14 January 2009 15:17:30 Josh Glover wrote:
> 2009/1/14 Kuda Dube <kd.gnu.linux at gmail.com>:
> > I would really like to start implementing a personal security strategy
> > and infrastructure from scratch and incorporate some or all of the
> > aspects you specified. Where can I get a template/guide for such a
> > task? Josh, can you share or put a rough guide on this ... just to help
> > get started! Looking at personal files, e-mail, etc ... locally and in
> > the cloud!
>> It is really not that hard to get the basics right:
>> 1. Encrypt everything
> 2. Generate a GPG key of at least 2048 bits, and protect it with a
> complex passphrase
> 3. Generate a key revocation certificate for your GPG key and keep
> several hard copies around. I keep one in my wallet and one in my
> safety deposit box at the bank. Locking one in your desk drawer at
> work would be OK as well.
> 4. Once everything is encrypted, you can store it anywhere you like,
> so make sure you have backups in at least two places.
> 5. Encrypt your private key with another private key and store copies
> in a couple of places. Keep one and only one copy of that private key
> in a safe place. Remember, this is just to protect you from losing
> access to your real private key, and compromise of that key means that
> you are still protected by your passphrase, which should give you
> enough time to revoke that key and pull down all the copies of stuff
> encrypted with it.
>> Others may have different suggestions, or spot flaws in my strategy.
> Either way, I welcome comments.
The big problem with encrypting everything is, when I am dead and gone (or
temporarily insane for 6 months) my encrypted data will not be available to
anyone - e.g. the proof that my insurance *was* fully paid up. They may have
multiple copies of the key, but they don't have *me* to jump them through the
hoops of flaming fire.
Actually, I'd like my kids to be able to see the photographs, and if I'm
really dead, then there's no loss in them reading my mail either. Trouble
is, they won't be able to undo the encryption -- they don't even know how to
do password recovery! -- especially not if my primary copy of the key meets
the same sticky end as I do, and all of my valuable assets are scattered
anonymously over the internet (stock market accounts, rockin' cafe-press
store, well-loved paypal account, spam collection, etc.)
Maybe a hard copy is the solution: I hereby bequeath my GPG key -----BEGIN PGP
PRIVATE KEY BLOCK----- (two pages of printed text) ... to the tech-savviest
of my offspring (you know who you are) with the secret password of my street
address during 2009 (in the form "123 Blah Street"). This key can be used to
decrypt the file "private_data" which you will have to look all over to
find - but please be nice to my former employers, and do not sabotage their
systems, even if you think they contributed to my (untimely?) demise.
A sad story: I got bitten by the SuSE 7.3 (7.2?) edition of disk encryption.
That (flawed) flavour of the twofish algorithm was not available on later
versions of cryptsetup when the original installations disks were gone --
well, actually it was, but hidden in the fine print, after I had entirely
given up on the 20Gb of perfectly good data. And it wasn't my data. It was
very sad, in fact.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!