I have several files (backups from 2FA app, my E-SIGN key and some private notes) that i want too keep away from anyone. On separate drive from my main backups.
All i found is recommendations to use LUKS.
Well, will it be enough? Or i should combine it with VeraCrypt or PicoCrypt?
Because if my E-SIGN key stolen, attacker will be able to sign documents from my behalf, including taking loans, making purchases etc.
Any recommendations? In this case i want to go deeper in security of this files.
And will regularly Tranced flash 8gb be suitable for this? Or even TF? Because i want something tiny to not only encypt, but hide somewhere.
One layer of encryption should be good enough, unless you want more flexibility to apportion different blocks to separate VMs and be able to selectively decrypt data per isolated context. For that you’ll need to use encrypted containers with cryptsetup or maybe one of the tools you mentioned. I would also checkout GitHub - Picocrypt-NG/Picocrypt-NG: A very small, very simple, yet very secure encryption tool. which is a continuation of the archived Picocrypt source code. Oh, and LUKS only works on Linux just so you know.
Some Nitrokey models support encrypted storage. They seem to have a TPM of sorts from this documentation:
If using a Mac, you can encrypt external drives with FileVault. On Windows Pro you can use Bitlocker to do the same.
For open source solutions there is Veracrypt and Cryptomator.
Ultimately the level of security of any of these tools will rest with the strength of password or pass phrase you secure them with. So make sure it is long and complex.
Here’s a web graphic for password complexity levels. And another forum post that has relevant info. LUKS2 on any decently up to date system uses argonid by default nowadays so no need to worry there. This hashing algorithm requires memory in addition to compute which slows down unlocking time when putting your password in which also slows down attackers who can buy arrays of GPUs to do a bunch of compute but are more constricted on memory.
For a deep dive on this subject read Security Now! Transcript of Episode #388 . Search “Leo: Very nice. Memory hard problems. Not hard memory, memory hard.” to jump to the discussion point. Now you also have to rely upon the program’s correct implementation which may be a reason to use two encryption technologies for the extra careful person. Though this adds to the complexity of the whole process: access (more complicated setups lead to greater possibility of user error), maintenance of the codebases and therefore the number of tools you need to keep up to date on. It doubles the chance for code to go wrong in terms of data integrity; however, scrambling data twice isn’t inherently hazardous. As long as you use trusted, well-audited tools they should do the job reliably however many times you stack them. I’m just trying to get across that simplicity as a security feature shouldn’t be overlooked.
