<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>How I would do it in a "more secure than the default" way:<br></div>- on the cloud:<br></div>dd if=/dev/zero of=/home/myself/disk/mydisk.bin bs=1M count=10k<br>
</div><br></div>Export /home/myself/disk via NFS, sshfs, whatever you like. I usually use sshfs.<br><br></div>- on your desktop:<br></div>sshfs root@my-super-cloud-provider.com:/home/myself/disk /mnt/point1<br>LOOPDEV=`sudo losetup -f`<br>
sudo losetup -e aes $LOOPDEV /mnt/point1/mydisk.bin <br></div>sudo mount -o user $LOOPDEV /mnt/mydisk<br></div>sudo chown -R myself /mnt/mydisk<br><br></div>On the first time you will use the disk, you should format it. After losetup and before mount, issue a mkfs.ext3 $LOOPDEV (or ext4, or fat12, as you wish). You will have an encrypted gigantic file on your NSA-friendly cloud provider, secure ssh traffic between your desktop and the cloud, and no secure data stored on any of your desktops. As the losetup command won't save your password, even if someone steals (or issues a court order requiring from you) any of your desktops, your data will be safe.<br>
</div>If you are super paranoid, you can create another container file locally inside the remote container, and so on. A safe inside a safe is safer than a safe...<br><div>
<div><div><div><div><br>Use a key-based auth to ssh on your cloud (completely disable password logon), and USE A PASSPHRASE to unlock the key. It will put another barrier to anyone snooping on your data.<br></div><div><br>
</div></div></div></div><div class="gmail_extra"><br clear="all"><div>Mauro<br><a href="http://mauro.limeiratem.com" target="_blank">http://mauro.limeiratem.com</a> - registered Linux User: 294521<br>Scripture is both history, and a love letter from God.</div>
<br><br><div class="gmail_quote">2013/6/25 D. Hugh Redelmeier <span dir="ltr"><<a href="mailto:hugh-pmF8o41NoarQT0dZR+AlfA@public.gmane.org" target="_blank">hugh@mimosa.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
| From: Ken Heard <<a href="mailto:kenslists-R6A+fiHC8nRWk0Htik3J/w@public.gmane.org" target="_blank">kenslists-R6A+fiHC8nRWk0Htik3J/w@public.gmane.org</a>><br>
<div><br>
| I certainly see your point about virtualization, and also the differing<br>
| meanings of "cloud". As I wanted to I imply in my first post, I was<br>
| talking about using the cloud as a place to store backed up user files,<br>
| not for virtualization. Such files would normally be packed in several<br>
| encrypted tarballs.<br>
<br>
</div>That seems pretty safe. In particular, there is no processing in the<br>
cloud that requires an unencrypted form of the data.<br>
<br>
Still: someone could learn when you are coming and going and connect<br>
you-in-Canada with you-in-Thailand. That doesn't sound bad since<br>
there are probably already many other ways that you leak that<br>
information.<br>
<div><div>--<br>
The Toronto Linux Users Group. Meetings: <a href="http://gtalug.org/" target="_blank">http://gtalug.org/</a><br>
TLUG requests: Linux topics, No HTML, wrap text below 80 columns<br>
How to UNSUBSCRIBE: <a href="http://gtalug.org/wiki/Mailing_lists" target="_blank">http://gtalug.org/wiki/Mailing_lists</a><br>
</div></div></blockquote></div><br></div></div></div>