The main advantage though, is that every single file and directory is encrypted individually, so even if one file were to become corrupted, as long as the masterkeyfile can be read, you can get back a lot of the encrypted files. There is also only one security factor for the encrypted files - a password. I then close the Veracrypt/Cryptomator volume and they stay out of my computer until I next need to do a backup.Ĭryptomator has some disadvantages - first is that the encrypted file names/directory paths can be very long, so if you are then backing up those files to an optical drive, they can often be too long for an optical disc filesystem such as JOLIET. That effectively does an rsync against all of the files on the Unraid server shares and updates the files on the relevant USB stick. Periodically I will mount each of those USB sticks, open the encrypted files with Cryptomator or Veracrypt and then run FreeFileSync, which is an amazing application that I donate to. One of those USB sticks is protected with a Veracrypt volume (password and passfile) and the others are all encrypted with Cryptomator. If I take anything off of the Unraid server, it gets encrypted as a backup on USB sticks I have attached to my house/car keys. The KeepassXC database on one of those drives is further protected by a password and keyfile combination. My documents exist on an Unraid server, with every drive LUKS encrypted. So I have gone through much the same as the OP. I have a lot of personal documents (copy of birth certificate, marriage certificate, health records) that I have ‘digitised’ should anything happen to the paper originals. That being said I might be understating the security benefit because there’s also the fact that there’s a lot more malware out there that’s going to just grab files off a disk than do both that and try and grab your encryption keys. Now, if you’re not willing to go through the hassle of an external key system, then just having the drive encrypted and only mounting it when needed is probably good enough because there’s really only a slight increase in security by using a secondary layer of encryption from the machine itself. The reason it’s done that way is so that file decryption speed isn’t limited by the yubikey but by that cert in the header being encrypted and unique you still get the benefit of not having your entire encryption method stolen. In the case of gpg encryption the whole file isn’t decoded using the yubikey instead there’s a header that gets decrypted by the yubikey that has a certificate to decrypt the rest of the file, the certificate in the header is unique to each individual file so even if that’s grabbed by the malware it can still only decrypt the single file. The certificate that encrypts things never leaves the yubikey but if someone stole the yubikey they would still need the pin code to do anything with it. The way it works is that I have to have both the yubikey and a pin code to decrypt a file. I personally use a yubikey with a gpg certificate on the key. So instead you have to use something like a yubikey. For example, if the encryption method is just a password the malware could key log the password and gain access to any file encrypted by that password. Now the other important thing is that whatever is used to do the encryption cannot be on the compromised computer itself. It would not prevent the stuff you have open from being stolen because presumably at the very least the malware could do screen grabs and key logging. The biggest risk that would go away if you encrypt the files individually is that all of the data couldn’t be stolen at one time, basically only the data in whatever file you have open would be able to be stolen by malware. Most of the remaining risk isn’t going to go away by encrypting the data again but there may still be a purpose to it. This reduces most of the risk of something grabbing that data. In your case you’re saying that you’re only mounting that drive while you’re using the data which would mean that there’s a limited time that the data is essentially unencrypted. So generally an encrypted home folder or the like is there for the purpose of someone stealing your physical drive not being able to access your data, but when your computer is on and unlocked people could still access the data because when the drive is mounted the data is accessible as if it weren’t encrypted.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |