[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: additional security (II)

To: tarsnap-users@tarsnap.com
Subject: Re: additional security (II)
From: tarsnap <tarsnap@infopower.nl>
Date: Mon, 31 Mar 2014 10:00:08 +0000
Authentication-results: protagonist.nl; auth=pass smtp.auth=82.150.140.96
In-reply-to: <1396254748.2800.2.camel@corrino>
References: <20140331080546.47a547c0@infopower.nl> <1396254748.2800.2.camel@corrino>

On Mon, 31 Mar 2014 10:32:28 +0200
Andreas Olsson <andreas@arrakis.se> wrote:

> mån 2014-03-31 klockan 08:05 +0000 skrev tarsnap:
> > ...
> > The (part of the) keyfile would then only reside in RAM during the
> > time that tarsnap is running (and does it really need to stay there
> > all the time?), making it more difficult for hackers to catch it.
> 
> Couldn't you just as easily solve that part yourself by at the backup
> moment copy your tarsnap key to a tmpfs mount? To be on the safe side
> it probably wouldn't hurt to disable swap, or go with an encrypted
> swap.
> 
> // Andreas

Yes I could even copy it to tarsnap's regular keyfile directory on
the VM of which I'm managing the backup and remove it afterwards, but
what I was aiming at was to not at all have it on any file system (or
am I technically wrong in that RAM is a file system also?) that is part
of a net-connected VM.

You are right though that having it temporarily on a net-connected file
system will lower the exposure but I really would like to go that one
step further, if possible.

thanks

Follow-Ups:
- Re: additional security (II)
  - From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>

References:
- additional security (II)
  - From: tarsnap <tarsnap@infopower.nl>
- Re: additional security (II)
  - From: Andreas Olsson <andreas@arrakis.se>

Prev by Date: Re: additional security (II)
Next by Date: Re: additional security (II)
Previous by thread: Re: additional security (II)
Next by thread: Re: additional security (II)
Index(es):
- Date
- Thread