Note about encrypting usb drives
This commit is contained in:
Bob Mottram
parent
2668887b22
commit
59ba8d3c1b
|
|
@ -18,6 +18,8 @@
|
|||
#+END_CENTER
|
||||
|
||||
* Backup to USB
|
||||
First and foremost - *encrypt your USB drives*! Even if you think you have "/nothing to hide/" if you accidentally lose a USB thumb drive (it's easy to lose small objects) and it's not encrypted then potentially someone might be able to obtain enough information about you to commit identity fraud, take out loans, open bank accounts, etc. Use LUKS encryption. In Ubuntu you can do this using the /Disk Utility/ application. Some instructions [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][can be found here]].
|
||||
|
||||
Insert a USB thumb drive into the front socket of the Beaglebone Black.
|
||||
|
||||
Log into the system and become the root user, then run the /backup/ command.
|
||||
|
|
@ -28,7 +30,7 @@ su
|
|||
backup
|
||||
#+END_SRC
|
||||
|
||||
If this is the first time that you've made a backup then you will be prompted for your GPG key password.
|
||||
Type in the password for the USB drive, then if this is the first time that you've made a backup then you will be prompted for your GPG key passphrase.
|
||||
|
||||
When the backup ends remove the USB drive and keep it somewhere safe. Even if it gets lost or falls into the wrong hands the content is encrypted and so is unlikely to become a source of leaks.
|
||||
* Restore from USB
|
||||
|
|
@ -42,7 +44,7 @@ su
|
|||
restore
|
||||
#+END_SRC
|
||||
|
||||
You will be prompted to enter your GPG key password, then when the restore is complete you can remove the USB drive.
|
||||
Enter the password for the USB drive, then you will be prompted to enter your GPG key passphrase. When the restore is complete you can remove the USB drive.
|
||||
* Distributed backups
|
||||
Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised.
|
||||
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ On your internet router, typically under firewall settings, open the following p
|
|||
* Keydrives
|
||||
After installing for the first time it's a good idea to create some keydrives. These will store your gpg key so that if all else fails you will still be able to restore from backup. There are two ways to do this:
|
||||
** Master Keydrive
|
||||
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the "Discs" application. Then plug it into the Freedombone system, then from your local machine run:
|
||||
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][done from the /Disk Utility/ application]]. Then plug it into the Freedombone system, then from your local machine run:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomainname -p 2222
|
||||
|
|
@ -193,7 +193,7 @@ exit
|
|||
|
||||
If you are on a Beaglebone Black then use /sda/ rather than /sdb/ for the drive parameter.
|
||||
** Fragment keydrives
|
||||
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the "Discs" application. Plug it into the Freedombone system then from your local machine run the following commands:
|
||||
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][can be done from the /Disk Utility/ application]]. Plug it into the Freedombone system then from your local machine run the following commands:
|
||||
|
||||
#+BEGIN_SRC bash
|
||||
ssh myusername@mydomainname -p 2222
|
||||
|
|
|
|||
|
|
@ -4,16 +4,22 @@
|
|||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<title></title>
|
||||
<!-- 2015-04-10 Fri 13:50 -->
|
||||
<!-- 2015-07-05 Sun 20:29 -->
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
|
||||
<meta name="generator" content="Org-mode" />
|
||||
<meta name="author" content="Bob Mottram" />
|
||||
<meta name="description" content="Turn the Beaglebone Black into a personal communications server"
|
||||
/>
|
||||
<meta name="keywords" content="freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<style type="text/css">
|
||||
<!--/*--><![CDATA[/*><!--*/
|
||||
.title { text-align: center; }
|
||||
.title { text-align: center;
|
||||
margin-bottom: .2em; }
|
||||
.subtitle { text-align: center;
|
||||
font-size: medium;
|
||||
font-weight: bold;
|
||||
margin-top:0; }
|
||||
.todo { font-family: monospace; color: red; }
|
||||
.done { font-family: monospace; color: green; }
|
||||
.priority { font-family: monospace; color: orange; }
|
||||
|
|
@ -21,9 +27,9 @@
|
|||
padding: 2px; font-size: 80%; font-weight: normal; }
|
||||
.timestamp { color: #bebebe; }
|
||||
.timestamp-kwd { color: #5f9ea0; }
|
||||
.right { margin-left: auto; margin-right: 0px; text-align: right; }
|
||||
.left { margin-left: 0px; margin-right: auto; text-align: left; }
|
||||
.center { margin-left: auto; margin-right: auto; text-align: center; }
|
||||
.org-right { margin-left: auto; margin-right: 0px; text-align: right; }
|
||||
.org-left { margin-left: 0px; margin-right: auto; text-align: left; }
|
||||
.org-center { margin-left: auto; margin-right: auto; text-align: center; }
|
||||
.underline { text-decoration: underline; }
|
||||
#postamble p, #preamble p { font-size: 90%; margin: .2em; }
|
||||
p.verse { margin-left: 3%; }
|
||||
|
|
@ -62,12 +68,12 @@
|
|||
caption.t-above { caption-side: top; }
|
||||
caption.t-bottom { caption-side: bottom; }
|
||||
td, th { vertical-align:top; }
|
||||
th.right { text-align: center; }
|
||||
th.left { text-align: center; }
|
||||
th.center { text-align: center; }
|
||||
td.right { text-align: right; }
|
||||
td.left { text-align: left; }
|
||||
td.center { text-align: center; }
|
||||
th.org-right { text-align: center; }
|
||||
th.org-left { text-align: center; }
|
||||
th.org-center { text-align: center; }
|
||||
td.org-right { text-align: right; }
|
||||
td.org-left { text-align: left; }
|
||||
td.org-center { text-align: center; }
|
||||
dt { font-weight: bold; }
|
||||
.footpara:nth-child(2) { display: inline; }
|
||||
.footpara { display: block; }
|
||||
|
|
@ -148,7 +154,6 @@ for the JavaScript code in this tag.
|
|||
<a name="top" id="top"></a>
|
||||
</div>
|
||||
<div id="content">
|
||||
<h1 class="title"></h1>
|
||||
<div class="center">
|
||||
|
||||
<div class="figure">
|
||||
|
|
@ -162,35 +167,39 @@ for the JavaScript code in this tag.
|
|||
|
||||
|
||||
<colgroup>
|
||||
<col class="left" />
|
||||
<col class="org-left" />
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td class="left"><a href="index.html">Home</a></td>
|
||||
<td class="org-left"><a href="index.html">Home</a></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td class="left"><a href="#unnumbered-1">Backup to USB</a></td>
|
||||
<td class="org-left"><a href="#orgheadline1">Backup to USB</a></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td class="left"><a href="#unnumbered-2">Restore from USB</a></td>
|
||||
<td class="org-left"><a href="#orgheadline2">Restore from USB</a></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td class="left"><a href="#unnumbered-3">Distributed backups</a></td>
|
||||
<td class="org-left"><a href="#orgheadline3">Distributed backups</a></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td class="left"><a href="#unnumbered-4">Restore from a friend</a></td>
|
||||
<td class="org-left"><a href="#orgheadline4">Restore from a friend</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<div id="outline-container-unnumbered-1" class="outline-2">
|
||||
<h2 id="unnumbered-1">Backup to USB</h2>
|
||||
<div class="outline-text-2" id="text-unnumbered-1">
|
||||
<div id="outline-container-orgheadline1" class="outline-2">
|
||||
<h2 id="orgheadline1">Backup to USB</h2>
|
||||
<div class="outline-text-2" id="text-orgheadline1">
|
||||
<p>
|
||||
First and foremost - <b>encrypt your USB drives</b>! Even if you think you have "<i>nothing to hide</i>" if you accidentally lose a USB thumb drive (it's easy to lose small objects) and it's not encrypted then potentially someone might be able to obtain enough information about you to commit identity fraud, take out loans, open bank accounts, etc. Use LUKS encryption. In Ubuntu you can do this using the <i>Disk Utility</i> application. Some instructions <a href="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">can be found here</a>.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Insert a USB thumb drive into the front socket of the Beaglebone Black.
|
||||
</p>
|
||||
|
|
@ -208,7 +217,7 @@ backup
|
|||
</div>
|
||||
|
||||
<p>
|
||||
If this is the first time that you've made a backup then you will be prompted for your GPG key password.
|
||||
Type in the password for the USB drive, then if this is the first time that you've made a backup then you will be prompted for your GPG key passphrase.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
|
@ -216,9 +225,9 @@ When the backup ends remove the USB drive and keep it somewhere safe. Even if it
|
|||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div id="outline-container-unnumbered-2" class="outline-2">
|
||||
<h2 id="unnumbered-2">Restore from USB</h2>
|
||||
<div class="outline-text-2" id="text-unnumbered-2">
|
||||
<div id="outline-container-orgheadline2" class="outline-2">
|
||||
<h2 id="orgheadline2">Restore from USB</h2>
|
||||
<div class="outline-text-2" id="text-orgheadline2">
|
||||
<p>
|
||||
Insert the USB thumb drive containing your backup into the front socket of the Beaglebone Black.
|
||||
</p>
|
||||
|
|
@ -236,13 +245,13 @@ restore
|
|||
</div>
|
||||
|
||||
<p>
|
||||
You will be prompted to enter your GPG key password, then when the restore is complete you can remove the USB drive.
|
||||
Enter the password for the USB drive, then you will be prompted to enter your GPG key passphrase. When the restore is complete you can remove the USB drive.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div id="outline-container-unnumbered-3" class="outline-2">
|
||||
<h2 id="unnumbered-3">Distributed backups</h2>
|
||||
<div class="outline-text-2" id="text-unnumbered-3">
|
||||
<div id="outline-container-orgheadline3" class="outline-2">
|
||||
<h2 id="orgheadline3">Distributed backups</h2>
|
||||
<div class="outline-text-2" id="text-orgheadline3">
|
||||
<p>
|
||||
Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised.
|
||||
</p>
|
||||
|
|
@ -288,12 +297,12 @@ Store it within a password manager on a USB drive which you carry with you. In t
|
|||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<div id="outline-container-unnumbered-4" class="outline-2">
|
||||
<h2 id="unnumbered-4">Restore from a friend</h2>
|
||||
<div class="outline-text-2" id="text-unnumbered-4">
|
||||
</div><div id="outline-container-unnumbered-5" class="outline-3">
|
||||
<h3 id="unnumbered-5">With a completely new Freedombone installation</h3>
|
||||
<div class="outline-text-3" id="text-unnumbered-5">
|
||||
<div id="outline-container-orgheadline4" class="outline-2">
|
||||
<h2 id="orgheadline4">Restore from a friend</h2>
|
||||
<div class="outline-text-2" id="text-orgheadline4">
|
||||
</div><div id="outline-container-orgheadline5" class="outline-3">
|
||||
<h3 id="orgheadline5">With a completely new Freedombone installation</h3>
|
||||
<div class="outline-text-3" id="text-orgheadline5">
|
||||
<p>
|
||||
This is the ultimate disaster recovery scenario in which you are beginning completely from scratch with new hardware and a new Freedombone installation (configured with the same username and domain names). It is assumed that the old hardware was destroyed, but that you have the backup key stored within a password manager on a USB thumb drive.
|
||||
</p>
|
||||
|
|
@ -345,9 +354,9 @@ Then use the command:
|
|||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div id="outline-container-unnumbered-6" class="outline-3">
|
||||
<h3 id="unnumbered-6">On an existing Freedombone installation</h3>
|
||||
<div class="outline-text-3" id="text-unnumbered-6">
|
||||
<div id="outline-container-orgheadline6" class="outline-3">
|
||||
<h3 id="orgheadline6">On an existing Freedombone installation</h3>
|
||||
<div class="outline-text-3" id="text-orgheadline6">
|
||||
<p>
|
||||
This is for more common situations in which maybe some data became corrupted and you want to restore it.
|
||||
</p>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<title></title>
|
||||
<!-- 2015-07-05 Sun 19:54 -->
|
||||
<!-- 2015-07-05 Sun 20:31 -->
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
|
||||
<meta name="generator" content="Org-mode" />
|
||||
<meta name="author" content="Bob Mottram" />
|
||||
|
|
@ -563,7 +563,7 @@ After installing for the first time it's a good idea to create some keydrives. T
|
|||
<h3 id="orgheadline12">Master Keydrive</h3>
|
||||
<div class="outline-text-3" id="text-orgheadline12">
|
||||
<p>
|
||||
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the "Discs" application. Then plug it into the Freedombone system, then from your local machine run:
|
||||
This is the traditional security model in which you carry your full keyring on an encrypted USB drive. To make a master keydrive first format a USB drive as a LUKS encrypted drive. In Ubuntu this can be <a href="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">done from the <i>Disk Utility</i> application</a>. Then plug it into the Freedombone system, then from your local machine run:
|
||||
</p>
|
||||
|
||||
<div class="org-src-container">
|
||||
|
|
@ -585,7 +585,7 @@ If you are on a Beaglebone Black then use <i>sda</i> rather than <i>sdb</i> for
|
|||
<h3 id="orgheadline13">Fragment keydrives</h3>
|
||||
<div class="outline-text-3" id="text-orgheadline13">
|
||||
<p>
|
||||
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this can be done from the "Discs" application. Plug it into the Freedombone system then from your local machine run the following commands:
|
||||
This breaks your GPG key into a number of fragments and randomly selects one to add to the USB drive. First format a USB drive as a LUKS encrypted drive. In Ubuntu this <a href="https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage">can be done from the <i>Disk Utility</i> application</a>. Plug it into the Freedombone system then from your local machine run the following commands:
|
||||
</p>
|
||||
|
||||
<div class="org-src-container">
|
||||
|
|
|
|||
Loading…
Reference in New Issue