I’m working towards digitizing all of my paper documents. This includes sensitive information such as bank statements, medical records, etc.
All of these files are stored in my home folder and synced to my home server and laptop via Syncthing (no relays or anything only on LAN/VPN). All of the aforementioned devices use ZFS native or LUKS encryption on their disks.
I thought maybe I should create a small container that I could encrypt with LUKS and mount it to store these types of files, but wanted to get the communities opinion / practices before adding another layer.
Since all of these devices are “trusted” or “owned” by me, is it necessary to add another layer of encryption?
Is there really a threat that a bad actor could steal these files from a running machine?
Well the good news is that the banks and other buisnesses probably have already leaked your data.
Jokes(?) aside, go ahead and double encrypt bank statements etc… Especially if they are older. How often do you need them? So, what is your time lost per year typing in an extra password for that data?
Fair point. Time spent is relatively minimal and I don’t access these files often. Simply archival purposes in the event I have to reference or require a copy of something.
I don’t know if I’ve ever seen a remote attack that results in file theft really, seems mostly ransomware type attacks which I have offline backups for. The concern was really from the server perspective as that does host some things like a Teamspeak and other game servers. The user permissions are set correctly so those applications/containers don’t have access.
I’d say not overkill depending on context.
If you unlock your machine to let someone use it, or they otherwise compromise your drive’s encryption key you may want MORE sensitive data to be encrypted with another layer.
Or, lets say you end up running some malware - it will run in your running user context which has access to an unlocked encrypted drive.
I mean all my Macs are fully encrypted with FileVault, but my password manager is still encrypted too…
They certainly exist.
Biggest ones in recent memory being Sony and Equifax, but don’t think you’re personally immune.
Absolutely right. I certainly know of those breaches, but am thinking about that in a different (incorrect) context that those are connected devices.
My threats are likely breaches through a various game or voice server I’m hosting. While they are in VMs and on separate subnets from my main LAN I suppose it’s still possible there.
The other is what I run on my machines. Mostly my development tools and games. Not immune to malware though which is likely my biggest worry.
Everything else I store are the usual suspects…photos, music, etc.
The only downside is that I can’t access them on mobile. That’s not really a concern for me though.
Probably could use veracrypt to make sure I stay cross platform, but I run Linux anywhere I do real work.
Depends. If you are worried you are going to get a malware that will exfiltrate your data, it’s better to have them encrypted. Just think about it, you wouldn’t use a plaintext file to store your passwords, even if you would be storing the file on a LUKS or ZFS encrypted drive. You’d still use Keepass or similar stuff for that.
If your PC or NAS is running 24/7, you may want to encrypt it in an encrypted volume or archive that doesn’t usually stay opened. Else, if you shutdown your PC often and you don’t feel like online exfiltration can be an issue, you should probably be fine. Just make sure that your backups are encrypted and you can access your key in the event of a ransomware or other disaster.
All great points. Considering the type of files I’m storing is effectively everything one would need to steal my identity I’m going for the second layer of encryption.
I do use Keepass (KeepassXC) for all my passwords. So that’s a good way to think about it.
This LUKS encrypted folder will stay unmounted 99% of the time.
All of my backups are done with Duplicacy and are encrypted on LUKS encrypted drives. Two cold backups, one offsite and one onsite. Server is technically the local backup, but that’s always on. Always as in even if the power and cable goes out… it has a large battery and cellular WAN fail-over.
So generally an encrypted home folder or the like is there for the purpose of someone stealing your physical drive not being able to access your data, but when your computer is on and unlocked people could still access the data because when the drive is mounted the data is accessible as if it weren’t encrypted. In your case you’re saying that you’re only mounting that drive while you’re using the data which would mean that there’s a limited time that the data is essentially unencrypted. This reduces most of the risk of something grabbing that data. Most of the remaining risk isn’t going to go away by encrypting the data again but there may still be a purpose to it.
The biggest risk that would go away if you encrypt the files individually is that all of the data couldn’t be stolen at one time, basically only the data in whatever file you have open would be able to be stolen by malware. It would not prevent the stuff you have open from being stolen because presumably at the very least the malware could do screen grabs and key logging.
Now the other important thing is that whatever is used to do the encryption cannot be on the compromised computer itself. For example, if the encryption method is just a password the malware could key log the password and gain access to any file encrypted by that password. So instead you have to use something like a yubikey.
I personally use a yubikey with a gpg certificate on the key. The way it works is that I have to have both the yubikey and a pin code to decrypt a file. The certificate that encrypts things never leaves the yubikey but if someone stole the yubikey they would still need the pin code to do anything with it. In the case of gpg encryption the whole file isn’t decoded using the yubikey instead there’s a header that gets decrypted by the yubikey that has a certificate to decrypt the rest of the file, the certificate in the header is unique to each individual file so even if that’s grabbed by the malware it can still only decrypt the single file. The reason it’s done that way is so that file decryption speed isn’t limited by the yubikey but by that cert in the header being encrypted and unique you still get the benefit of not having your entire encryption method stolen.
Now, if you’re not willing to go through the hassle of an external key system, then just having the drive encrypted and only mounting it when needed is probably good enough because there’s really only a slight increase in security by using a secondary layer of encryption from the machine itself. That being said I might be understating the security benefit because there’s also the fact that there’s a lot more malware out there that’s going to just grab files off a disk than do both that and try and grab your encryption keys.
Also, to be honest I mostly just do all of that for my encryption because I find the concept and practice of computer security to be fun/neat, not because I’m all that paranoid people are going to steal stuff directly off of my computer. I feel like in reality having a good eye for sketchy downloads and phishing scams is going to make people getting stuff directly from your computer pretty much a non-problem. Then again, you could always get unlucky lol
Well currently all of my disks are encrypted. This will just be a folder that will be encrypted that I’ll open to reference or store away things like bank statements. It being opened will be pretty rare, maybe 2x a month.
It will never be opened on the server so the theft would have to happen from my desktop or laptop.
Good idea about the yubikey. I do have a few of those kicking around for other items. I agree with security being fun/neat which is why I’m here really…
I’m well versed in what not to download / click on. My primary concern was that server which does have ports/services exposed to the outside world. An attacker would have to break through the VM walls or my network architecture to get to my files though.
Safe than sorry, but if the right guy wants it he’ll get it.
I have a lot of personal documents (copy of birth certificate, marriage certificate, health records) that I have ‘digitised’ should anything happen to the paper originals. So I have gone through much the same as the OP.
My documents exist on an Unraid server, with every drive LUKS encrypted. The KeepassXC database on one of those drives is further protected by a password and keyfile combination.
If I take anything off of the Unraid server, it gets encrypted as a backup on USB sticks I have attached to my house/car keys. One of those USB sticks is protected with a Veracrypt volume (password and passfile) and the others are all encrypted with Cryptomator.
Periodically I will mount each of those USB sticks, open the encrypted files with Cryptomator or Veracrypt and then run FreeFileSync, which is an amazing application that I donate to. That effectively does an rsync against all of the files on the Unraid server shares and updates the files on the relevant USB stick. I then close the Veracrypt/Cryptomator volume and they stay out of my computer until I next need to do a backup.
Cryptomator has some disadvantages - first is that the encrypted file names/directory paths can be very long, so if you are then backing up those files to an optical drive, they can often be too long for an optical disc filesystem such as JOLIET. There is also only one security factor for the encrypted files - a password. The main advantage though, is that every single file and directory is encrypted individually, so even if one file were to become corrupted, as long as the masterkeyfile can be read, you can get back a lot of the encrypted files. It also makes uploading files to the cloud a lot easier, rather than one massive Veracrypt volume!
Veracrypt’s main disadvantage for me is that if the Veracrypt volume gets damaged/corrupted, you’ve had it. No way that I am aware of to recover individual files, you’ve lost the lot. Having said that, I backup the Veracrypt volumes as one file to optical discs every so often (blu-ray is perfect for this and now reasonably priced) plus it supports multiple security ‘factors’ and multiple encryption algorithms. Without checking, I think my volume is encrypted with AES and then Serpent, so that in effect achieves what the OP was thinking of?