[ale] destroy old drives

Jim Kinney jim.kinney at gmail.com
Wed Apr 24 07:33:17 EDT 2019


NBDE is the tool for auto decrypt on your lan.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Network-Bound_Disk_Encryption.html
If the drive leaves the network, it won't decrypt.

On April 23, 2019 11:06:12 PM EDT, "Bryan L. Gay via Ale" <ale at ale.org> wrote:
>I love LUKS. All my drives are LUKS encrypted. I enter my passphrase at
>boot, the first drive is decrypted, and it unlocks the keys for the
>rest of
>the drives that are then automagically decrypted and mounted.
>Downside is that I can't remotely reboot my server, not that I'd want
>to.
>
>On Thu, Apr 11, 2019 at 5:30 PM DJ-Pfulio via Ale <ale at ale.org> wrote:
>
>> Yet more reasons to use encrypted storage.
>>
>> Isn't there an enterprise solution for this using key servers to
>unlock the
>> partitions at boot?  Take the server/disks off the LAN and there
>aren't
>> any key
>> servers available.
>>
>>
>>
>> On 4/11/19 4:31 PM, Alex Carver via Ale wrote:
>> > If someone really wants your data, holes don't matter.  The rest of
>the
>> > platter is still intact in that case and can have the data
>extracted.
>> >
>> > There's also no guarantee that Dban can write enough to be sure
>that the
>> > magnetic domains are fully randomized deep in the platter.  The
>longer
>> > data sits statically on the disk  the more opportunity for the
>surface
>> > domain to imprint on deeper domains (this is actually a problem
>with
>> > magnetic tape, magnetic data can print through from one layer of
>tape to
>> > the next layer when it's wound on the spindle).
>> >
>> > A serious entity can perform a deep level scan of the platter and
>> > retrieve the low level signal under the surface domains and see
>previous
>> > data.  The drive head typically isn't powerful enough to write that
>> > deeply because it has to keep the tracks narrow.
>> >
>> > On 2019-04-11 12:13, Steve Litt via Ale wrote:
>> >> On Wed, 10 Apr 2019 22:11:42 -0400
>> >> Jim Kinney <jim.kinney at gmail.com> wrote:
>> >>
>> >>> Dban advantage: it can be done across hundreds or thousands of
>drives
>> >>> before larcenous third party "shredders" physically touch the
>drives.
>> >>
>> >> That's a good point.
>> >>
>> >> Doesn't dban take an hour or more? How many drives can I do with
>one
>> >> computer? How long would it take to test whether each is really
>blank?
>> >>
>> >> What might be nice with 1000 drives to do is dban followed by
>drilling
>> >> 3 holes in each drive. I'd say each drive would take 1 minute for
>3
>> >> holes, so it's about 2 days for one employee to drill the holes.
>Or,
>> >> perhaps, one employee could both dban and drill the holes,
>drilling the
>> >> holes while the next batch is dbanning.
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>

-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190424/404782b5/attachment.html>


More information about the Ale mailing list