Date: Fri, 01 Mar 2013 14:09:47 -0600 From: dweimer <dweimer@dweimer.net> To: freebsd-stable@freebsd.org Subject: Re: Musings on ZFS Backup strategies Message-ID: <960a34e583e40def0a60df2b889380bb@dweimer.net> In-Reply-To: <20130301192528.GA79829@neutralgood.org> References: <5130BA35.5060809@denninger.net> <bafb9e19b43b91127be25924ab139529@dweimer.net> <5130CD1C.90709@denninger.net> <20130301192528.GA79829@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/01/2013 1:25 pm, kpneal@pobox.com wrote: > On Fri, Mar 01, 2013 at 09:45:32AM -0600, Karl Denninger wrote: >> I rotate the disaster disks out to a safe-deposit box at the bank, >> and >> they're geli-encrypted, so if stolen they're worthless to the thief >> (other than their cash value as a drive) and if the building goes >> "poof" >> I have the ones in the vault to recover from. There's the potential >> for >> loss up to the rotation time of course but that is the same risk I >> had >> with all UFS filesystems. > What do you do about geli keys? Encrypted backups aren't much use if > you can't unencrypt them. In my case I set them up with a pass-phrase only, I can mount them on any FreeBSD system using geli attach ... then enter pass-phrase when prompted. It is less secure than the key method (just because the pass-phrase is far shorter than a key would be), but it ensures as long as I can remember the pass-phrase I can access the data. However my backups in this method are personal data, worse case scenario is someone steals my identity, personal photos, and iTunes library. My bank accounts don't have enough money in them to make it worth, someone going through the time and effort to get the data off the disks. The pass-phrase I picked uses all the good practices of mixed case, special characters, and its not something easy to guess even by people who know me well. It would be far easier to break into my house and get the data that way, than break the encryption, on the external backup media. If I was say backing up a corporate data with this method and my company did defense research, well I would probably use both a pass-phrase and key combination and store an offsite copy of the key in a separate secure location from the media. -- Thanks, Dean E. Weimer http://www.dweimer.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?960a34e583e40def0a60df2b889380bb>