I'm not worried, I'm prepared...
...well, yeah I am actually a bit worried too.
We’ve all got sensitive things that we need to protect both in the sense of privacy and availability. For my family I’ve settled on a Cryptomator vault that resides on a hosted Nextcloud instance in the EU.
Why the EU? Simple, GDPR makes companies far, far more likely to protect our privacy.
Why the privacy….errr….fanatacism? My wake up call was that a few weeks after my mother died my step son, who has a different last name, had not lived in our house for years, owns his own house with his girlfriend, had met my mother only once and had never set foot in her house, received a cold call from a real estate agent offering to sell Mom’s house. This got me thinking about how easy it would be for a bad actor to string together bigger threats based on information I have. Tax documents, employment contracts, medical records, rental agreements, mortgage and banking details details that could allow someone to construct a social engineering chain leading to a personal or professional disaster. And don’t even get me started on passwords...
Why Cryptomator? While my NextCloud instance has filesystem encryption enabled I wanted another layer for certain documents and images, seeing a footnote on PrivacyTools.io suggesting “If you're not able to switch your cloud service immediately, consider encrypting with Cryptomator.” I investigated and it checked all of the boxes I was looking for
领英推荐
What I have today makes me pretty comfortable. What I think of as my primary vault sits on NextCloud. I have clients on my RHEL laptop and my wife’s MacBook (both with encrypted filesystems) that replicate the vault in, while not real time, certainly quickly enough for our needs. On a daily basis I have a cron job that replicates the vault to a RaspberryPi NAS with an onboard UPS that sits next to my go bag because...you just don’t know. As George Michael so famously sang, I’m only human, so another cron job on the NAS creates a date stamped backup of the vault and manages a 60 day retention cycle. My wife’s iPhone and my Android can access the vault via WebDAV. Why not just hit the NAS? Well I prefer not to rely on my in house IT when we may be traveling for extended periods and I’m just happier not having any inbound traffic.
Going back to my Mom for a moment, we had a rather interesting conversation when I was in my twenties that ended with me telling her “I’m not worried, I’m prepared.” So, yes I actually do have a copy of RHEL, with an encrypted filesystem, on a USB drive on my keychain and, you guessed it, the Cryptomator vaults gets replicated there on most weekends when I do my patching.
Do you need to go to these lengths? I’m sure some of you have gone much further than me and will find gaping holes in my plan here. If so I’d love to hear from you. For others what we do here may be totally over the top, but I would suggest considering your own privacy and availability situation as well as your threat model and then see if Cryptomator on NextCloud or in Google Drive or an AWS S3 bucket or something else might fit your requirements.
VP - Enterprise Technology Operations
1 年Great discussion Chuck - I'm in!