Re: geli encryption on server

In reply to: Polytropon : "Re: geli encryption on server"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ralf Mardorf <ralf-mardorf_at_riseup.net>
Date: Mon, 13 Mar 2023 05:45:43 UTC

On Sun, 2023-03-12 at 23:36 +0100, Polytropon wrote:
> However, you _can_ use this approach with storing the keyfile
> on a USB stick and remove it when the system has been started.

Since USB sticks are not reliable, backing up the key is required, but
copies of keys lower security. While SanDisk Extreme PRO SD cards are
reliable, I wouldn't trust the reliability. Btw. I already lost keys to
decrypt emails out of sloppiness, IOW sometimes users aren't reliable,
too. Not to mention that sometimes, though rarely, I don't know my bank
card's 4-digit PIN at the supermarket checkout. Then I wish I had
written them on the card ;D. Security measures are a double-edged sword.
Useless when done wrong, but a pitfall when done right.