PDA

View Full Version : [SOLVED] Transfering sensitive data quickly and securely?



NormaJean
June 28th, 2011, 03:41 AM
Ahoy hoy,

Just wanting to bounce around ideas with people who know more about this then me ;)
My company needs to send sensitive data across to another company, 800gb of .dpx.

The way I have thought of is:
E-Sata/1TB WD black.
True-encrypted/ hw accelerated aes (3x machines being built with 2600k)
Sha1sum on each file.

The main goal is to make sure that
1. The files that were transferred off the server onto the drive, are exactly the same.
2. Secure.
3. Fast.

Thanks in advanced!

papibe
June 28th, 2011, 03:50 AM
I'll assume that the machines are running Linux. I would:
Create non admin accounts.
Disable shell and login using passwords.
Create ssh keys for secure logins.
Transfer files using rsync over ssh using the encrytion option.


Just a thought.

NormaJean
June 28th, 2011, 04:00 AM
They will need to be sent by DAS due to various constraints of our connections.
Sorry, I should have specified.

-----
Also, the systems are there because we will be sending over 50 of these drives out.

drdos2006
June 28th, 2011, 06:03 AM
Sounds to me like you need to set up VPN and let the 50 clients download from your server.
my 2cents worth.

regards


Maybe if you have limited upload, then upload to another server with a big download pipe....then allow downloads from there. You did not specify the limitations of your connections. Maybe a torrent might be more suitable.???

NormaJean
June 28th, 2011, 07:26 AM
We're a production house, you mention the word torrent and everyone leaps.
I'm not sure the exact specifics of the connection at our D/C, something to find out -- I was just told that when they investigated the idea of having them just download off us that 800gb- 2TB from 50 different companies is too much of an ask.

Which is fair enough, but cheers for the input it is something that I will be investigating.

Drenriza
June 28th, 2011, 07:39 AM
If you send data on a regular basis, then why not use a internet connection with a site-to-site or secure GRE tunnel over a VPN connection?

Use isakmp, defi helman group 1, 2 or 5, with an AES 128, 192 or 256 encryption to exchange keys and use a AES 128, 192 or 256 encryption, with a hash value with ipsec for the data transfer.

And control the data transfer with a access control list.
To control who can download and who cant, what data should be encrypted, and so on. Make a access-list that allows different clients to download at different times. The sky is the limit :p

EDIT.
And with low lifetimes on (key exchange, transfer set, tunnel validation) to keep everything secure.

SeijiSensei
June 28th, 2011, 02:29 PM
We're a production house, you mention the word torrent and everyone leaps.

Sad to hear that. A situation where you're shipping a single large file to 50 clients is an ideal case for torrenting. Perhaps your staff needs a little education on the difference between a protocol like bittorrent and what people do with it. You might remind them that people transfer illegal files lots of other ways, too. Even by good-old HTTP.

Oh, and most torrent clients include an encryption option for an additional layer of security.

Lars Noodén
June 28th, 2011, 03:35 PM
They will need to be sent by DAS ...

What is DAS?

HermanAB
June 28th, 2011, 06:33 PM
You mean: Was ist DAS?
;)

Anyhoo, the OP mentioned a HW encrypted HDD. That is certainly a good way to do it. Just copy the data with rsync onto the disk. Rsync has error detection built in, so the copy will be good. Then send the disk with a courier.

Bachstelze
June 28th, 2011, 09:44 PM
1. Make a big .tar with all the files, compute SHA512 checksum of the .tar
2. Encrypt with GnuPG, send the key and checksum through SSH since it's small
3. Copy on the drive, no need for TrueCrypt since it's already encrypted
4. Ship drive
5. Let them decrypt it and verify the checksum
6. Profit

NormaJean
June 29th, 2011, 12:18 AM
SeijiSensei: We know, but sadly everything we do (storage team) is heavily influenced by what they think they need. So even though it's not the most viable -- essentially, what they say goes.

Lars Noodén: Direct Attached Storage, external drive.

HermanAB: I totally forgot about rsync /doh. Will give it a performance run.

Bachstelze: Cheers, The way we were going to have it is have 1gb of unencrypted with a txt of the checksum but I like the idea of them ssh'ing into a box and just grabbing the file.

Thanks guys, I'll let you know how we go in the next month or so.