semi-coherent ramblings follow - I wanted to give you some stuff to consider
Think about your threats and the countermeasures. Encrypting a drive
mitigates the risk of exposed data in case of hardware theft, and is
totally useless if the attacker can access the data over the network.
Network encryption mitigates eavesdropping - what are the chances of
that happening at home - do you have wireless? WEP is real-time
crackable, and in 2006 I went to a seminar where a guy claimed WPA was
crackable in a couple hours - maybe that's why the keys rotate
frequently. RAID mitigates against drive failure, and RAID5 is nice,
but what about recovery?
Control your network, use secure protocols, use access controls, lock up
the server/bolt it to the floor/whatever. If you want to use an
encrypted volume to store your data, SSH in, mount it manually and enter
the key - how often do you reboot? 2-3 times a year? Better to have a
filesystem that requires a passwd on mount than something that feeds the
key in and unlocks it for you - what kind of security is that? Why even
bother - the benefit of encryption is lost, unless you have a key server
on your network that is hardened and locked up tight so it doesn't get
stolen too.
Use whatever RAID you are comfortable with. I've tried RAID5 and RAID1,
and RAID1 is by far the easiest to recover from. RAID0 is a disaster
waiting to happen. Some people have had no problems with RAID5, but it
seems almost as many find RAID5 such a PITA that they swear "never again!"
I did RAID1 with two drives bought at the same time. Sure enough one
drive failed, and I was too busy to address it. A couple months later
the other drive failed. Duh! Same drive manufacturer, same model,
almost same manufacture date - yeah, I asked for that. You might want
to use different drive manufacturers to mitigate that risk.
In addition to the file server, have a back up server and backup daily.
This compensates for the inevitable "Oh! No!" moment when you delete a
directory that you didn't mean to - you have yesterday's snapshot to
recover from. Imagine how heroic I looked when I came home and my wife
told me she deleted all the pictures from blah blah by accident. No
problem - go to backup server, scp the directory back to the server,
done. But that raises consistency checking issues - you have to make
sure the backup is complete to mitigate the risk of a backup fault.
And don't forget anti-virus checking :)
Regards,
George Toft
On 4/2/2013 8:20 AM, Nathan England wrote:
>
> Hello Hello,
>
> I will soon be building a new server for my home office. I do various
> consulting jobs and have access to data that my customers consider
> highly personal or private, some of which I've signed NDA's in order
> to have access to. The current server stores my client data, various
> source code files, but it also doubles as my personal data store. All
> my personal projects along with videos and pictures, audio files and
> everything that all of us parents and geeks would want to store.
>
> My new hardware will have multiple drives in a raid configuration. I
> have not completely decided on how that will be configured. I would
> like your opinions on the best methods of securing a server. I am not
> against having to type in an encryption passphrase each time the
> machine boots, but as it will be headless, I'd really rather not, but
> hoping beyond setup I will not need to reboot it often it is an option.
>
> What options should I consider for protecting the data on the hard
> drives and still provide some sane level of usability from a
> workstation somewhere else?
>
> I appreciate your thoughts!
>
> Nathan
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss