[ILUG] Hard Disk Protection in Live CD Boot Ups

[Kuda Dube]

Andrew,

Now, you are making this more depressing!

Given that I had an unencrypted external hard disk that contained all my
life including identity, photoes, research, etc ... it was pretty grim!

... one may have to choose between these extreme security scenarios:
unencrypted data in hands of strangers or encrypted data in hands of
one's non-tech savvy posterity, which has no clue how to access it!

Regards
---
Kuda


On Wed, 2009-01-14 at 16:18 +0200, Andrew McGill wrote:
> On Wednesday 14 January 2009 15:17:30 Josh Glover wrote:
> > 2009/1/14 Kuda Dube <kd.gnu.linux at gmail.com>:
> > > I would really like to start implementing a personal security strategy
> > > and infrastructure from scratch and incorporate some or all of the
> > > aspects you  specified. Where can I get a template/guide for such a
> > > task? Josh, can you share or put a rough guide on this ... just to help
> > > get started! Looking at personal files, e-mail, etc ... locally and in
> > > the cloud!
> >
> > It is really not that hard to get the basics right:
> >
> > 1. Encrypt everything
> > 2. Generate a GPG key of at least 2048 bits, and protect it with a
> > complex passphrase
> > 3. Generate a key revocation certificate for your GPG key and keep
> > several hard copies around. I keep one in my wallet and one in my
> > safety deposit box at the bank. Locking one in your desk drawer at
> > work would be OK as well.
> > 4. Once everything is encrypted, you can store it anywhere you like,
> > so make sure you have backups in at least two places.
> > 5. Encrypt your private key with another private key and store copies
> > in a couple of places. Keep one and only one copy of that private key
> > in a safe place. Remember, this is just to protect you from losing
> > access to your real private key, and compromise of that key means that
> > you are still protected by your passphrase, which should give you
> > enough time to revoke that key and pull down all the copies of stuff
> > encrypted with it.
> um ...
> >
> > Others may have different suggestions, or spot flaws in my strategy.
> > Either way, I welcome comments.
> 
> The big problem with encrypting everything is, when I am dead and gone (or 
> temporarily insane for 6 months) my encrypted data will not be available to 
> anyone - e.g. the proof that my insurance *was* fully paid up.  They may have 
> multiple copies of the key, but they don't have *me* to jump them through the 
> hoops of flaming fire.
> 
> Actually, I'd like my kids to be able to see the photographs, and if I'm 
> really dead, then there's no loss in them reading my mail either.  Trouble 
> is, they won't be able to undo the encryption -- they don't even know how to 
> do password recovery! -- especially not if my primary copy of the key meets 
> the same sticky end as I do, and all of my valuable assets are scattered 
> anonymously over the internet (stock market accounts, rockin' cafe-press 
> store, well-loved paypal account, spam collection, etc.)
> 
> Maybe a hard copy is the solution: I hereby bequeath my GPG key -----BEGIN PGP 
> PRIVATE KEY BLOCK----- (two pages of printed text) ... to the tech-savviest 
> of my offspring (you know who you are) with the secret password of my street 
> address during 2009 (in the form "123 Blah Street").  This key can be used to 
> decrypt the file "private_data" which you will have to look all over to 
> find - but please be nice to my former employers, and do not sabotage their 
> systems, even if you think they contributed to my (untimely?) demise.
> 
> A sad story: I got bitten by the SuSE 7.3 (7.2?) edition of disk encryption.  
> That (flawed) flavour of the twofish algorithm was not available on later 
> versions of cryptsetup when the original installations disks were gone -- 
> well, actually it was, but hidden in the fine print, after I had entirely 
> given up on the 20Gb of perfectly good data.  And it wasn't my data.  It was 
> very sad, in fact.  
> 
> &:-)