Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Would You Implement Site-Wide File Encryption?

Posted by EditorDavid on from the news-for-network-operators dept.

Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue?
Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?

3 of 151 comments (clear)

  1. Trying to draw the specification for this or not . by burni2 · · Score: 5, Interesting

    If you decide to implement server-level encryption across all your servers,

    This is basically simple you can build a server that does all encryption in ram, meaning the OS is loaded once then the encryption key is used to have it decrypt the content for the outside.

    To stop tempering you could setup such a server yourself and equip it with various sensors that detect presence of people or tempering, and if detected it could shut down not compromising the encryption key to forensics.

    Firewire(because of its DMA) needs to be disabled and unkown devices need to trigger a shut down event and must otherwise be ignored

    con:
    However this type of server would still emit the key data as radio spectrum.

    con2:
    The requesters question is quite sketchy, I suggest writting a specification first with the neccessary "must haves" and possible use cases.

    my iscsi-encryption approach
    So I can only explain my private approach, I got a root server with big harddrives and those harddrives are exported via iscsi that iscsi-connection is tunneled through ssh.

    I de-/encrypt & mount the drives only on my home server and sync the directories with rsync. The harddrives are double encrypted meaning I have two encryption devices and two dependend keys.

    This sounds slow, but it isn't I get nearly the full upload bandwith of my connection.

    Meaning my root server never "knows" what data is backed up on it - its a "dumb" server

    I would suggest a similar approach for the requesters situation, because it solves a first step, separating the encryption key from the encrypted data.

    And a second step having two encryption keys making it more difficult to get all two if separated (which is contrary to my use case)

    I would expand my approach there to have a "data" server, a level1 encryption server and a level2 encryption server.

    level1 decryptes the first encryption layer and level2 does it with the data provided by level1

    Usecase:
    If only the data server is seized, shut down at least one of the intermediate servers along with its key and the data is inaccessible. And it doesn't matter which "key keeper" server you kill, its a fail-one-fail-all system.

    The drawback is however the level2 encryption server shall not be compromised, because there all pure data is accessible.

    encrypted backup
    With todays highspeed connectivity the servers can be backed up by just cloning the harddrives over iscsi for example, that works quite well.

    another idea
    Most encryption providers from linux and bsd provide the possiblity of having more than one master key.

    Iscsi can also work on image files so you can provide many independed iscsi-volumes and encrpytion can be outsourced to the users computers.

  2. Re:Virtual Private Raid by Anonymous Coward · · Score: 4, Informative

    I wish that someone would develop a version of raid for use with servers. Have 3 VPSs in Switzerland, Russia and Holland and each one gets only a 3rd of each file. The chances of any government seizing all 3 is zero.

    GlusterFS supports striping across volumes that can be hosted on different servers: https://gluster.readthedocs.io/en/latest/Quick-Start-Guide/Architecture/

  3. hire someone by ooloorie · · Score: 4, Insightful

    How Would You Implement Site-Wide File Encryption?

    Hire someone who knows what they are doing. Seriously, if this is for a business, there are lots of complex issues with compliance and audits in addition to availability and the possibility of sabotage. And this causes enough work that you'll probably need to hire someone anyway, so it might as well be someone who knows this stuff.

    Dealing with those requires experience. And the very first thing you need to come to terms with is: what risks are you actually trying to protect against? What tradeoffs are you willing to make and what risks (mainly of data loss) are you willing to accept? How much are you willing to spend on this?