[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: additional security (II)



On Mon, 31 Mar 2014 10:32:28 +0200
Andreas Olsson <andreas@arrakis.se> wrote:

> mån 2014-03-31 klockan 08:05 +0000 skrev tarsnap:
> > ...
> > The (part of the) keyfile would then only reside in RAM during the
> > time that tarsnap is running (and does it really need to stay there
> > all the time?), making it more difficult for hackers to catch it.
> 
> Couldn't you just as easily solve that part yourself by at the backup
> moment copy your tarsnap key to a tmpfs mount? To be on the safe side
> it probably wouldn't hurt to disable swap, or go with an encrypted
> swap.
> 
> // Andreas

Yes I could even copy it to tarsnap's regular keyfile directory on
the VM of which I'm managing the backup and remove it afterwards, but
what I was aiming at was to not at all have it on any file system (or
am I technically wrong in that RAM is a file system also?) that is part
of a net-connected VM.

You are right though that having it temporarily on a net-connected file
system will lower the exposure but I really would like to go that one
step further, if possible.

thanks