| Just additional note, it is possible to store /etc/cgd/* content on usb
| memory, already tested. You just need to add a line into /etc/fstab.
I was thinking about that (keeping local data safe yet not be a
hassle on every reboot) some time ago and came up with three variants:
- an USB storage on a cable, reasonably secured (ie. bolted to the
wall, so an attacker is more likely to just plug it off)
- a bluetooth device for key storage that could be hidden/securely
mounted somewhere nearby the server
- a remote server that only responds to the expected IP address
(which causes pain when your internet connection goes down)
Additional brownie points given for auto-destruction which seems
necessary wrt recent legislation in certain parts of the world ("Sorry,
I don't have the key, your [law enforcement] agents destroyed it when
they confiscated the server").
Cheers,
mjl