cross-posted from: https://lemmy.cat/post/6027277

I’m curious to know how people manage their different encrypted storage here. And I’m talking about the case where you really need to manage SEVERAL encrypted storages/files.

What software do you use? Where do you save your passwords (password manager/paper/other) or do you use physical keys?

In short, what’s the best combination you’ve found or recommend to cover as many attack surfaces as possible: remote, local, physical, etc.?

  • plague-sapiens
    87 months ago

    Linux and Luks full-disk-encryption for every system. Remotely unlockable via ssh. HDDs are unlocked via keyfiles which are on the fd-encrypted SSDs.

    For windows you can use VeraCrypt (don’t use Bitlocker!).

    For single files I usually use 7zip or Peazip with long passwords.

    • retiolusOPA
      37 months ago

      HDDs are unlocked via keyfiles which are on the fd-encrypted SSDs

      I hadn’t even thought of that!

    • @LWD@lemm.ee
      17 months ago

      If anybody is choosing between Bitlocker for full disk encryption on a Windows computer, and leaving it mostly unencrypted, I would recommend Bitlocker. At least that system provides some level of protection from physical thievery. Veracrypt is generally considered more trustworthy, but IIRC is a little riskier.

      • plague-sapiens
        27 months ago

        Why riskier? Keep a backup of the boot-image and you’re good. And do generally backups of files and devices. Haven’t had any issue for years with Win10/11 and VC. Win7 and TC/VC on the other hand was awful…

    • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
      07 months ago

      I like this idea. I never use keyfiles - I’m irrationally paranoid of losing them - but I’ve been doing a good job of regularly backing up (in a way I’m confident of recovering from) for the past several years, so I’m going to let go of that fear and embrace keyfiles.

  • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
    67 months ago

    gocryptfs, because encrypted shares are accessible cross-platform(ish), and I have high confidence of having either a working static binary, or the ability to compile one, several years in the future.

    Passwords are all in a pass store, and also in a keepass db. I’m probably going to do away with pass and go back to some secret-tool backed be keepassxc, though, as I haven’t been very happy with pass (I use gopass, but same db format). I depend far more on keepass, and keeping the dbs in sync is a minor PITA, as well.

    In any case, I have a bespoke bash script that mounts/unmounts shares on demand via a rofi dialog. pgp-agent does the password prompting as necessary, which pass uses to decrypt the passwords.

    Everything - including the encrypted shares - is backed up by restic to encrypted backups - one each in B2, one each on local portable USB HDs.