You are not logged in.
- Topics: Active | Unanswered
#1 2014-10-25 17:10:20
- maggie
- Member
- Registered: 2011-02-12
- Posts: 255
Seeking best practices for keeping a dm-crypt partition
Since my wife had her laptop stolen from her car, it is time for me to encrypt my /home partition where I have personal and financial data. I am looking for some best practices from experienced users.
#1. I keep backups at home of the data in case something bad happens to the machine, this is without question.
#2. I will backup the luks header of the partition and keep it at home in a safe place.
What else is good to do?
P.S. I created the partition like this:
# cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha256 --use-random luksFormat /dev/sda4Last edited by maggie (2014-10-25 17:11:01)
Offline
#2 2014-10-25 18:17:22
- Stebalien
- Member
- Registered: 2010-04-27
- Posts: 1,239
- Website
Re: Seeking best practices for keeping a dm-crypt partition
Depending on the type of "crooks" you're afraid of, you might want to ensure that your /tmp is mounted in ram and that any swap partitions are encrypted. Also, just to make sure, did overwrite (or trim if you have an SSD) the partition before encrypting? Finally, you might also want to encrypt /var (private data can get stashed there when printing etc...).
Offline
#3 2014-10-25 20:40:59
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,353
Re: Seeking best practices for keeping a dm-crypt partition
Since my wife had her laptop stolen from her car
That sucks. I bet they did more damage to the car than the value of the stuff stolen.
I prefer to encrypt files and directories using tools like GPG and passphrase protected keys. But, that is just me. Most stuff is left clear text so, unless I am dealing with sensitive data, I don't need to mess with decryption unless I have to. Also, it does add a bit of security through obscurity. If most of the disk is in clear text, an adversary might not recognize that some obscure file is encrypted and might contain something of interest.
As to your backups. Your plan is not sufficient. You should have more than one backup. Your backups must be tested. At least one backup must be off-site. What if someone broke into your home and stole the laptop and the backup? Or if the house burned down?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#4 2014-10-27 20:13:56
- maggie
- Member
- Registered: 2011-02-12
- Posts: 255
Re: Seeking best practices for keeping a dm-crypt partition
Thank you all.
Offline