With Christmas in full swing, my attention swung again to organising family photos.
Again, iOS iPhoto provides great and seamless automatic organisation of photos. But pathetic persistence of that organisation outside the application.
This is summarised pretty well in this article. As the author says – it’s great for organising, with the failing that photos saved to PC lose all that organisation. Apple could just opt to allow iCloud Control Panel (the PC app) to automatically create folder names for the collections and moments. But they don’t. Or – they could tag the photos with embedded tags. But they don’t.
The only choice is to preserve them forever in a large enough iCloud account for all your photos, which you would pay for. Since I have over 100GB of photos and movies since before the iPhone was invented, and which will persist long after Apple have
There’s a dilemma I’ve had for quite a while:
- I want to store bank statements, documents, etc. securely at home
- I want them easily and immediately accessible to the family via a Windows share, without having to use passwords, etc
- But I want them to be irrecoverable by a thief if the hard drive is stolen
You can see the dilemma. How can I ensure that an encrypted drive/partition/whatever, is automatically mounted or accessible without any need for a password by family members – BUT is not by a thief, with exactly the same lack of interaction, by a thief? Whatever you have at home, the thief will also be able to take.
There are two solutions that I could see to this:
- We use the family member – the thief doesn’t have them (hopefully). Hence we need something they are, have, or know (the three factors). A sensible and seamless way would be their own laptop login – if you have a password on your laptop (we do – mine is on a work domain, my wife’s is system Truecrypted). When the member logs in, their laptop then trusts them. The laptop then needs to convey that trust to the encrypted data store – such as Windows domain, where the domain can check that the user has logged in successfully, and has a ‘ticket’ to access resources. Hence, if we encrypt the files using Windows encryption, and then allow access to those files to a logged-in user with rights to access them, we should be good to go!
Well, yes…. But this is full of ‘but’s. For a start, my laptop is on a work domain – I can’t add it to a home domain that easily (whilst still being logged into work via VPN). I don’t have a domain server at home, nor do I want one. And how about our iPhones / iPads – this means we can’t use them with the encrypted file share.
There’s also another question: “Why not just mount the truecrypt volume file over the network from the laptop?”. Well, yes. And No. Because it’s not possible to mount truecrypt volumes remotely over a Windows share (believe me, I’ve tried).
- We use some kind of temporary key – something that exists for everyday use at home, but is lost, or can be removed easily, if the drive is taken. For example, ideally a key on a network share somewhere else in the house where the thief can’t find it, or something that is lost if the server is unplugged and removed (I was thinking of a volatile-memory USB stick for this, but they don’t seem to exist).
Or – if we can’t make the key disappear automatically, perhaps we can at least easily remove it, if we have to, by knowing the drive is compromised
So – I’ve used the second approach. Although a determined, careful thief could thwart it, I’m working on the principle that 99% of them will just sell the drive as-is, and only 1% may even take a look and try to copy, let alone circumvent security.
What my approach does is this:
- Store the sensitive data in encrypted TrueCrypt containers on the server
- Encrypt the containers using a keyfile, which is temporarily copied to the server’s internal drive for the purposes of opening the containers, and then is removed as soon as they are open
- Copy that keyfile, at auto-login time, from a drive which is synced with an online file sharing system (Dropbox, Sugarsync, etc)
IF I find the drive has been stolen – I delete the keyfile (which is completely innocuous) on my own shared drive. Then:
- If the thief steals and turns on the server, the encrypted volumes (on an external drive) aren’t available anyway
- If the thief steals the external drive, they are useless without the keyfiles
- If the thief steals both server and drive, and connects them, AND also connects the server to the internet at any time before connecting the external drive and rebooting, the shared drive will sync, and the master keyfile will be removed, unavailable to open the volumes
- If the thief steals both drives, connects them together, does not connect to the internet at all, and boots the server with the drive attached – then the encrypted volumes will mount successfully and he’ll have access to my files
It’s a big IF, no?
AND… for as long as the thief doesn’t show, the server will boot, mount the files, and everyone at home will be able to immediately mount them at //server/share_dir.
Hi – I’ve found the same. When OneNote tries to cache the BoxCryptor files, it corrupts the entire cache (not just the Boxcryptor notebook, but ALL my notebooks – Boxcryptor, Skydrive direct, Local, etc).
OneNote is a fantastic tool, and works great in many shared scenarios – including via an occasionally-attached network share via VPN – so evidently it’s getting confusion and pain by the local vs network virtual drive presented by Boxcryptor.
I have used OneNote successfully with a Truecrypt partition on OneNote (although not fully tested how it works when shared ,with the TC files being infrequently synced by Dropbox because they’re usually open and Dropbox needs them to be detached first).
I’m going to go back to that while Boxcryptor try to find a fix, but I suspect they might not because it sounds the issue is with OneNote not liking like the new version, and the new version is probably seen as an improvement in general.