Home Office Server Security

Nathan England nathan at nmecs.com
Tue Apr 2 10:02:14 MST 2013 

I appreciate what you have said here Paul. This was the kind of insight 
I was looking for. Very true.
I have lots of large files I will be transferring back and forth, but 
the majority of my use will be with mysql and apache on this particular 
machine. I would be well off keeping the apache and mysql stuff on a 
non-encrypted partition and place my sensitive data on an encrypted 
partition.

I was considering something like this already. I would like to have my 
apache docroot and mysql databases stored somewhere secure, but on boot 
mount a tmpfs to /var/lib/mysql and /var/www/html and copy the necessary 
files from the encrypted location to the tmpfs mounts. Then run a script 
to update or backup what ever is needed. The server will have plenty of 
ram so using 4 GB for tmpfs like this would not be an issue. Regardless, 
it would be a fun project anyway.

Thanks again Paul.

Nathan

On 4/2/2013 9:48 AM, Paul Mooring wrote:
> You could run some tests yourself, but due to the nature of encryption I
> strongly suspect that the overhead added by LVM is negligible.  Encryption
> is supposed to be CPU intensive, like everything else involve security
> it's a tradeoff.  The most important thing to keep in mind is that you
> don't need to care about CPU overhead, if it's lightly used getting your
> files 0.25 seconds later and averaging 60% CPU rather than 40% just
> doesn't matter.
>
> Stepping on my soapbox for a minute here, network/server security is far
> less magical than many make it out to be.  It's really up to you to
> determine how much risk is involved in something and what the costs are to
> mitigate that risk.  In your case if the server isn't heavily used so the
> CPU overhead isn't a problem, the only cost is having to put in a password
> to mount the encrypted drive.  The risk of having sensitive files makes it
> a no brainer to set this up.  Contrast that to a file server being used
> for just public files (say free exes and isos from the internet) that's
> heavily used by an office of people.  In that case setting up encryption
> is definitely more secure and also a very bad idea because the costs are
> greater than the risk.
>
> All that to say, don't pay too much attention to those numbers.  Setting
> this up is pretty straightforward and moving data off the encrypted drive
> is also pretty easy, so just set it up and if it works for you don't worry
> about trying to squeeze that last drop of performance out until you need
> to.

More information about the PLUG-discuss mailing list