Wait, how's this gonna help? If someone swipes the machine, they also have the TPM. TPM only helps against someone reading the disks on another machine. TPM is only useful to protect data during physical access if the rest of the firmware/software stack is impenetrable. In practical terms this would mean locked UEFI, disabled alternate boot device, Secure Boot, locked GRUB, and locked logins. In effect the security of the data is transferred from the knowledge of a passphrase to the knowledge of a login password, and the attack surface is expanded across multiple systems that all have to be secure and configured correctly to not allow access prior to OS login.
avidamoeba
joined 1 year ago
Only useful if the backup machine isn't also used as a hot spare.
Swallowed the clickbait, hook, line and sinker.
HardKernel makesa a few ODROID models that come with available Android TV builds. Some have the same chipset as the AMLogic on the CCwGTV 4K and they aren't terribly expensive. If I wanted an open source Chromecast replacement I'd go for that.
Got it, so take the NES out of the drawer.
Now this makes perfect sense.
It's rockets for space tourism.
I dump the db too.
With that said if backing up the raw files of a db while the service is stopped can produce a bad backup, I think we have bigger problems. That's because restoring the raw files and starting the service is functionally equivalent to just starting the service with its existing raw files. If that could cause a problem then the service can't be trusted to be stopped and restarted either. Am I wrong?
Oh yeah, that would be a disaster. If not handled correctly.
If someone can login as root on that machine, by for example rebooting in recovery mode, they can also run the script and access the drives. Or they can get the password from the keyring. A keyring that doesn't require a password to unlock or whose password is stored somewhere on the machine is equivalent to plain text storage. There's no obvious solution other than ensuring the system can't be rooted without a login, I'm just pointing the flaw out in case you feel it's more secure than it is.