RCA
Elite Member
- Joined
- Jun 27, 2017
- Professional Status
- Certified General Appraiser
- State
- California
1. First Quarter of 2023, Synology will release version 7.2 of its DSM operating system. The very big change here is the ability to encrypt entire drives - which makes 100% secure encryption easy. To the point, even if someone steals your Synology system and does a reset or whatever - they won't be able to read the contents without the appropriate authorization.
2. Ahhh. A search of this forum for "YubiKey" comes up empty. --- Really. YubiKey should be the cornerstone of your security. YubiKey 5 Series is what to get:
These each store two passwords. The first is used for OTP (One Time Security), such as what you get with Google Authenticator: A one-time password that times out and then changes. Only, you don't need to be connected to the internet to use it --- and it is easier to use. Also, the online authenticators can be cloned - so they don't have perfect security. The second password is configurable for a number of different protocols and can be used to make the YubiKey provide a certain kind of password for certain systems. You can also use it to create a highly complex static password that never changes - unless you force it to change. This static password can be used for about anything, including encrypting hard drives.
2a. Passwords are generated to the console app (or whatever field the cursor is in), as well as the clipboard. You generate the first OTP password just by touching the YubiKey for no more than 2.5 seconds. The second type of password will be generated by touching for longer than 3.5 seconds. So, that makes it very fast and easy to use. Usually, people just stick the YubiKey into the USB socket on their keyboard (most have at least one) or the lightning socket of their iPhone.
2b. You should have at least one backup for a key that you register for every app where you register the first one. You can have more than one backup - but you really need to be careful to keep account of them, so if one goes missing you will know. I number them. These keys don't have to be identically configured, except for static passwords. So, if you have say 1Password - you have to figure out where to add the YubiKeys, then add at least two, in case one gets lost.
2c. It cannot be overemphasized that your configuration, control/management and archival of these YubiKeys has to be the central focus of your attention. If you lose all YubiKeys in an otherwise perfectly secure system with full disk encryption and the like, then you are probably totally screwed. You really have to know what you are doing and not make mistakes. Especially, starting out you should keep Google Authenticator around as a secondary 2nd-Factor authorization system until you have developed some skill dealing with YubiKeys. For example, you can make the mistake of setting up security with a YubiKey configuration -then changing the YubiKey configuration before deactivating the old YubiKey configuration. Only after very carefully validating your configuration of the YubiKeys, should you deactivate other forms of 2nd-factor authentication (that are hackable).
2d. I store 2 YubiKeys and other security information in a plastic waterproof pouch I picked up at REI ( https://www.rei.com/product/158952/nite-ize-runoff-waterproof-pocket ). That pouch is on a leather shoestring I bought at Walgreens (I advise treating it with leather soap first). I can easily pull it out of whatever shirt I am wearing, as the leather string is long enough and the pouch easily sticks up inside the shirt. The copies are stored safely at home in a vault - or in a bank deposit box.
2e. Just as importantly, keep at least one good password in memory that you can always prepend or append to the YubiKey generated password. This helps ensure that should anyone get hold of one of your YubiKeys, they still cannot generate the right password to get into apps or decrypt files. You can also remember ways to modify the password, such as deleting a certain number of characters at the end or beginning). There is really no limit to how much more secure you can make this system. JUST REMEMBER, if you are securing some SDD or flash card that you may not touch for a couple of years, in that time frame - you should assume that you may very well have forgotten whatever you thought you could remember. You need backups such as a card box or a piece of paper hidden someplace such as behind a picture frame or in a book you would never get rid of.
3. Nowadays you can get tiny micro SSD cards that can hold 1Tb of data. In fact, I could easily fill my pouch with 100+ such cards or 100+ Terabytes of data. Amazing - isn't it. And I keep it with me 24/7. I'll leave the problem of dealing with the shower, swimming pool, and other such anomalies to your creativity. The best microSD cards have transfer speeds of 150Mbs. Actually, my preference is 512Mb cards. - The free "VeraCrypt" application is your secret tool here. You can have it create a gigantic encrypted drive on the microSD card, that needs the static password plus your easy to remember prefix password) to open the drive.
Generally:
A. You must be absolutely sure you have YubiKey backups in case of fire, earthquake, theft or other such events. You must have enough control over where these backups are kept that you can easily determine if one was misplaced (number the devices) or stolen. One could argue that the safest policy for at least yourself is for only one device that you always keep on your person. For that, you have to really know that you can trust yourself. I don't trust myself that much. But some people do. For me, accidents happen, especially if you have something you don't touch for long periods of time. I have misplaced passwords for Samsung SSD devices and so they are not even usable unless I send them to Samsung to be erased - in which case I lose the data. I know from experience, that over years, you tend to lose control of devices for one reason or another. You also have to set up a system that is going to last at least until you become too senile to even use it.
The other problem is setting up a modified system so that others, such as your wife, children or business partners, can get access to any data they might need should you become incapacitated.
B. The more you can divide your security key management between different nodes of control, so much the better for reducing the probability of someone breaking into your data or getting access to critical services. On the other hand, too much complexity can introduce problems of management and control. You could have an SSD drive that requires three differently configured YubiKey static passwords, plus your in-memory password to open. You could hide those 3 YubiKeys in completely different geographic locations that only you know: (1) Around your neck, (2) Bank safety box, and (3) In your highly secure home safe. In addition, VeraCrypt allows you to create hidden drives - so that even if someone tried to extort you to give them the passwords to all of your drives, - well they wouldn't even know it existed. And such a strategy might work if you don't plan on accessing the SSD drive except in case of an emergency, e.g. as a backup.
Also, facial recognition, such as what you get with the IPhone is not totally secure. They can make 3D sculptures of a face with certain materials that can full IPhone 14 facial recognition. Although, at present, it is extremely difficult to do.
2. Ahhh. A search of this forum for "YubiKey" comes up empty. --- Really. YubiKey should be the cornerstone of your security. YubiKey 5 Series is what to get:
These each store two passwords. The first is used for OTP (One Time Security), such as what you get with Google Authenticator: A one-time password that times out and then changes. Only, you don't need to be connected to the internet to use it --- and it is easier to use. Also, the online authenticators can be cloned - so they don't have perfect security. The second password is configurable for a number of different protocols and can be used to make the YubiKey provide a certain kind of password for certain systems. You can also use it to create a highly complex static password that never changes - unless you force it to change. This static password can be used for about anything, including encrypting hard drives.
2a. Passwords are generated to the console app (or whatever field the cursor is in), as well as the clipboard. You generate the first OTP password just by touching the YubiKey for no more than 2.5 seconds. The second type of password will be generated by touching for longer than 3.5 seconds. So, that makes it very fast and easy to use. Usually, people just stick the YubiKey into the USB socket on their keyboard (most have at least one) or the lightning socket of their iPhone.
2b. You should have at least one backup for a key that you register for every app where you register the first one. You can have more than one backup - but you really need to be careful to keep account of them, so if one goes missing you will know. I number them. These keys don't have to be identically configured, except for static passwords. So, if you have say 1Password - you have to figure out where to add the YubiKeys, then add at least two, in case one gets lost.
2c. It cannot be overemphasized that your configuration, control/management and archival of these YubiKeys has to be the central focus of your attention. If you lose all YubiKeys in an otherwise perfectly secure system with full disk encryption and the like, then you are probably totally screwed. You really have to know what you are doing and not make mistakes. Especially, starting out you should keep Google Authenticator around as a secondary 2nd-Factor authorization system until you have developed some skill dealing with YubiKeys. For example, you can make the mistake of setting up security with a YubiKey configuration -then changing the YubiKey configuration before deactivating the old YubiKey configuration. Only after very carefully validating your configuration of the YubiKeys, should you deactivate other forms of 2nd-factor authentication (that are hackable).
2d. I store 2 YubiKeys and other security information in a plastic waterproof pouch I picked up at REI ( https://www.rei.com/product/158952/nite-ize-runoff-waterproof-pocket ). That pouch is on a leather shoestring I bought at Walgreens (I advise treating it with leather soap first). I can easily pull it out of whatever shirt I am wearing, as the leather string is long enough and the pouch easily sticks up inside the shirt. The copies are stored safely at home in a vault - or in a bank deposit box.
2e. Just as importantly, keep at least one good password in memory that you can always prepend or append to the YubiKey generated password. This helps ensure that should anyone get hold of one of your YubiKeys, they still cannot generate the right password to get into apps or decrypt files. You can also remember ways to modify the password, such as deleting a certain number of characters at the end or beginning). There is really no limit to how much more secure you can make this system. JUST REMEMBER, if you are securing some SDD or flash card that you may not touch for a couple of years, in that time frame - you should assume that you may very well have forgotten whatever you thought you could remember. You need backups such as a card box or a piece of paper hidden someplace such as behind a picture frame or in a book you would never get rid of.
3. Nowadays you can get tiny micro SSD cards that can hold 1Tb of data. In fact, I could easily fill my pouch with 100+ such cards or 100+ Terabytes of data. Amazing - isn't it. And I keep it with me 24/7. I'll leave the problem of dealing with the shower, swimming pool, and other such anomalies to your creativity. The best microSD cards have transfer speeds of 150Mbs. Actually, my preference is 512Mb cards. - The free "VeraCrypt" application is your secret tool here. You can have it create a gigantic encrypted drive on the microSD card, that needs the static password plus your easy to remember prefix password) to open the drive.
Generally:
A. You must be absolutely sure you have YubiKey backups in case of fire, earthquake, theft or other such events. You must have enough control over where these backups are kept that you can easily determine if one was misplaced (number the devices) or stolen. One could argue that the safest policy for at least yourself is for only one device that you always keep on your person. For that, you have to really know that you can trust yourself. I don't trust myself that much. But some people do. For me, accidents happen, especially if you have something you don't touch for long periods of time. I have misplaced passwords for Samsung SSD devices and so they are not even usable unless I send them to Samsung to be erased - in which case I lose the data. I know from experience, that over years, you tend to lose control of devices for one reason or another. You also have to set up a system that is going to last at least until you become too senile to even use it.
The other problem is setting up a modified system so that others, such as your wife, children or business partners, can get access to any data they might need should you become incapacitated.
B. The more you can divide your security key management between different nodes of control, so much the better for reducing the probability of someone breaking into your data or getting access to critical services. On the other hand, too much complexity can introduce problems of management and control. You could have an SSD drive that requires three differently configured YubiKey static passwords, plus your in-memory password to open. You could hide those 3 YubiKeys in completely different geographic locations that only you know: (1) Around your neck, (2) Bank safety box, and (3) In your highly secure home safe. In addition, VeraCrypt allows you to create hidden drives - so that even if someone tried to extort you to give them the passwords to all of your drives, - well they wouldn't even know it existed. And such a strategy might work if you don't plan on accessing the SSD drive except in case of an emergency, e.g. as a backup.
Also, facial recognition, such as what you get with the IPhone is not totally secure. They can make 3D sculptures of a face with certain materials that can full IPhone 14 facial recognition. Although, at present, it is extremely difficult to do.