Comment on Storing encryption keys for backup drives
lorentz@feddit.it 4 days ago
A chain is as strong as its weakest link. If you store your encryption keys in plain text in an unencrypted partition you are not very resilient against an attack.
There is no general advise for security, you always have to frame it in a treat model. What do you use encryption to protect for?
If you want to be able to safely dispose the drives without having to wipe them, storing the keys in a different drive (not partition) could be good. If you want to protect your data against physical thief, storing the decryption keys in plain text in the same server doesn’t make sense.
If you want to protect by a state sponsored actor, keep in mind xkcd.com/538/
Something you have to consider is how likely your drives and your encryption keys can be stolen together. How quickly you can realize that only one of them got stolen, and how quickly you can protect the other one to keep you data safe.
A simple approach could be: print them down and put them in a safe box, maybe at a trusted relative or friend’s home. But again, it boils down to what do you want to protect most, because there is no definitive answer to your question
lorentz@feddit.it 4 days ago
Also, keep in mind that really good passwords can be easy to remember or recover. Pick your favourite book at home, get the last word of the first 10 chapters and put all of them together. You get a password that is impossible to bruteforce, literally written in your home but impossible to guess for anyone else but you. Of course it won’t be easy to type. But is still a good main password for a password manager which stores all the others.