cross-posted from: https://lemmy.cat/post/6027277
I’m curious to know how people manage their different encrypted storage here. And I’m talking about the case where you really need to manage SEVERAL encrypted storages/files.
What software do you use? Where do you save your passwords (password manager/paper/other) or do you use physical keys?
In short, what’s the best combination you’ve found or recommend to cover as many attack surfaces as possible: remote, local, physical, etc.?
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.44K Posts
- 57.6K Comments
- Modlog
gocryptfs, because encrypted shares are accessible cross-platform(ish), and I have high confidence of having either a working static binary, or the ability to compile one, several years in the future.
Passwords are all in a
passstore, and also in a keepass db. I’m probably going to do away withpassand go back to some secret-tool backed be keepassxc, though, as I haven’t been very happy with pass (I use gopass, but same db format). I depend far more on keepass, and keeping the dbs in sync is a minor PITA, as well.In any case, I have a bespoke bash script that mounts/unmounts shares on demand via a rofi dialog.
pgp-agentdoes the password prompting as necessary, whichpassuses to decrypt the passwords.Everything - including the encrypted shares - is backed up by restic to encrypted backups - one each in B2, one each on local portable USB HDs.
Linux and Luks full-disk-encryption for every system. Remotely unlockable via ssh. HDDs are unlocked via keyfiles which are on the fd-encrypted SSDs.
For windows you can use VeraCrypt (don’t use Bitlocker!).
For single files I usually use 7zip or Peazip with long passwords.
If anybody is choosing between Bitlocker for full disk encryption on a Windows computer, and leaving it mostly unencrypted, I would recommend Bitlocker. At least that system provides some level of protection from physical thievery. Veracrypt is generally considered more trustworthy, but IIRC is a little riskier.
Why riskier? Keep a backup of the boot-image and you’re good. And do generally backups of files and devices. Haven’t had any issue for years with Win10/11 and VC. Win7 and TC/VC on the other hand was awful…
The answer to the first sentence is everything you wrote after it
I like this idea. I never use keyfiles - I’m irrationally paranoid of losing them - but I’ve been doing a good job of regularly backing up (in a way I’m confident of recovering from) for the past several years, so I’m going to let go of that fear and embrace keyfiles.
I hadn’t even thought of that!