Conversation
Notices
-
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca (bobjonkmanformer@sn.jonkman.ca)'s status on Thursday, 04-Aug-2016 17:04:51 UTC 
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca
I was using Duplicity when I experienced the bad encrypted backup. I blamed it on CBC. But the real lesson is to verify backups and test a restore, well before you need those backups in a real disaster recovery situation. And I'm in theoretical agreement, backups *should* be encrypted *and* stored securely. - Claes Wallin (韋嘉誠) likes this.
- Claes Wallin (韋嘉誠) repeated this.
-
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca (bobjonkmanformer@sn.jonkman.ca)'s status on Thursday, 04-Aug-2016 16:05:38 UTC
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca
Had a bad experience once where a bad block on an encrypted backup invalidated the entire backup. Now I'm a big proponent of UNencrypted backups stored in a physically secured area. -
karl (karl@soykaf.com)'s status on Thursday, 04-Aug-2016 17:16:11 UTC 
karl
@bobjonkman @wakarimasen Yeah, periodic verification is key. And having both offsite and onsite backups is also vital. My onsite backups are on drives with luks/dm-crypt'd full-disk encryption, I consider that safe enough. I use Duplicity for the "backups of the backups" that are going offsite.
I used to use owncloud's encrypted storage, until I looked deeper into it and realized how PANTS ON HEAD RETARDED it is. The encryption may be fine (I have no idea, I'm no cryptographer) but they don't obfuscate filenames.
"La dee da, I'm a bad guy who's got a folder full of encrypted files from someone's owncloud install, let's see, there's a little file called passwords.txt, gee, I wonder what file I'm gonna aim my password cracker at first?"Claes Wallin (韋嘉誠) repeated this. -
wakarimasen (wakarimasen@soykaf.com)'s status on Thursday, 04-Aug-2016 17:20:41 UTC 
wakarimasen
@karl @bobjonkman Consider also backing up your LUKS headers, just in case. https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery Claes Wallin (韋嘉誠) repeated this. -
karl (karl@soykaf.com)'s status on Thursday, 04-Aug-2016 17:24:34 UTC
karl
@wakarimasen @bobjonkman Way ahead of you. :) Every encrypted drive I have has a backup of the headers and keyfiles for all the other encrypted drives. Claes Wallin (韋嘉誠) likes this.Claes Wallin (韋嘉誠) repeated this. -
Claes Wallin (韋嘉誠) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 04-Aug-2016 17:27:15 UTC 
Claes Wallin (韋嘉誠)
@karl @bobjonkman @wakarimasen Well, OwnCloud needs to be able to access the encryption key, so encrypted storage is bonkers anyway. -
Claes Wallin (韋嘉誠) (clackemovedtoheldscalla@quitter.se)'s status on Thursday, 04-Aug-2016 17:28:43 UTC
Claes Wallin (韋嘉誠)
@karl I'm assuming that OwnCloud doesn't ask you for a long password before it can start. -
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca (bobjonkmanformer@sn.jonkman.ca)'s status on Thursday, 04-Aug-2016 17:37:11 UTC
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca
!ownCloud and !Nextcloud need access to the encryption key, but the offsite storage provider does not. So, if you keep your ownClould/Nextcloud server securely on your premises then you can use an offsite storage provider and get some additional security from encrypted storage. Claes Wallin (韋嘉誠) repeated this. -
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca (bobjonkmanformer@sn.jonkman.ca)'s status on Thursday, 04-Aug-2016 17:40:06 UTC
Former Bob Jonkman -- Please use the new server at https://gs.jonkman.ca
I did not know that !ownCloud uses file-based encryption. I would like to see external storage as a single LUKS blob with its own internal filesystem. -
Claes Wallin (韋嘉誠) (clackemovedtoheldscalla@quitter.se)'s status on Friday, 05-Aug-2016 08:03:07 UTC
Claes Wallin (韋嘉誠)
@bobjonkman That does make sense, I didn't consider external storage.
All Chirp! content and data are available under the