semi-coherent ramblings follow - I wanted to give you some stuff to consider Think about your threats and the countermeasures. Encrypting a drive mitigates the risk of exposed data in case of hardware theft, and is totally useless if the attacker can access the data over the network. Network encryption mitigates eavesdropping - what are the chances of that happening at home - do you have wireless? WEP is real-time crackable, and in 2006 I went to a seminar where a guy claimed WPA was crackable in a couple hours - maybe that's why the keys rotate frequently. RAID mitigates against drive failure, and RAID5 is nice, but what about recovery? Control your network, use secure protocols, use access controls, lock up the server/bolt it to the floor/whatever. If you want to use an encrypted volume to store your data, SSH in, mount it manually and enter the key - how often do you reboot? 2-3 times a year? Better to have a filesystem that requires a passwd on mount than something that feeds the key in and unlocks it for you - what kind of security is that? Why even bother - the benefit of encryption is lost, unless you have a key server on your network that is hardened and locked up tight so it doesn't get stolen too. Use whatever RAID you are comfortable with. I've tried RAID5 and RAID1, and RAID1 is by far the easiest to recover from. RAID0 is a disaster waiting to happen. Some people have had no problems with RAID5, but it seems almost as many find RAID5 such a PITA that they swear "never again!" I did RAID1 with two drives bought at the same time. Sure enough one drive failed, and I was too busy to address it. A couple months later the other drive failed. Duh! Same drive manufacturer, same model, almost same manufacture date - yeah, I asked for that. You might want to use different drive manufacturers to mitigate that risk. In addition to the file server, have a back up server and backup daily. This compensates for the inevitable "Oh! No!" moment when you delete a directory that you didn't mean to - you have yesterday's snapshot to recover from. Imagine how heroic I looked when I came home and my wife told me she deleted all the pictures from blah blah by accident. No problem - go to backup server, scp the directory back to the server, done. But that raises consistency checking issues - you have to make sure the backup is complete to mitigate the risk of a backup fault. And don't forget anti-virus checking :) Regards, George Toft On 4/2/2013 8:20 AM, Nathan England wrote: > > Hello Hello, > > I will soon be building a new server for my home office. I do various > consulting jobs and have access to data that my customers consider > highly personal or private, some of which I've signed NDA's in order > to have access to. The current server stores my client data, various > source code files, but it also doubles as my personal data store. All > my personal projects along with videos and pictures, audio files and > everything that all of us parents and geeks would want to store. > > My new hardware will have multiple drives in a raid configuration. I > have not completely decided on how that will be configured. I would > like your opinions on the best methods of securing a server. I am not > against having to type in an encryption passphrase each time the > machine boots, but as it will be headless, I'd really rather not, but > hoping beyond setup I will not need to reboot it often it is an option. > > What options should I consider for protecting the data on the hard > drives and still provide some sane level of usability from a > workstation somewhere else? > > I appreciate your thoughts! > > Nathan > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss