Date: Fri, 01 Mar 2013 14:43:13 -0600 From: Karl Denninger <karl@denninger.net> To: freebsd-stable@freebsd.org Subject: Re: Musings on ZFS Backup strategies Message-ID: <513112E1.80202@denninger.net> In-Reply-To: <20130301192528.GA79829@neutralgood.org> References: <5130BA35.5060809@denninger.net> <bafb9e19b43b91127be25924ab139529@dweimer.net> <5130CD1C.90709@denninger.net> <20130301192528.GA79829@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/1/2013 1:25 PM, kpneal@pobox.com wrote: > On Fri, Mar 01, 2013 at 09:45:32AM -0600, Karl Denninger wrote: >> I rotate the disaster disks out to a safe-deposit box at the bank, and >> they're geli-encrypted, so if stolen they're worthless to the thief >> (other than their cash value as a drive) and if the building goes "poof" >> I have the ones in the vault to recover from. There's the potential for >> loss up to the rotation time of course but that is the same risk I had >> with all UFS filesystems. > What do you do about geli keys? Encrypted backups aren't much use if > you can't unencrypt them. I keep them in my head. Even my immediate family could not guess it; one of the things I mastered many years ago was "algorithmic" and very long passwords that are easy to remember but impossible for someone to guess other than by brute force, and if long enough that becomes prohibitive for the guesser. If I needed even better I'd keep the (random part of the) composite key on an external thing (e.g. thumbdrive) that is only stuffed in the box to boot and attach the drives, the removed and stored separately under separate and high security. There is no point to using a composite key IF THE RANDOM PART CAN BE STOLEN; you then are back to the security of the typed password (if any), so if you want the better level of security you need to deal with the physical security of the random portion and make sure it is NEVER on an unencrypted part of the disk itself. If you're not going to do that then a strong and long password is just as good. I can mount my backup volumes on any FreeBSD machine that has the geli framework. -- -- Karl Denninger /The Market Ticker ®/ <http://market-ticker.org>; Cuda Systems LLC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?513112E1.80202>