I was invisioning the data access model like this:
1 computer (master)
X many computers (clients)
web/gtk/whatever front end
The clients generally would need the most updating, as new ways to do
data entry/colating are thought up. The master, though, would change
Since technology can be used to track everything and anything, and
that's inescapable, my thought was that _audit_ trails should be stored
too. A given data record should list EVERY action that has ever been
taken against it. That way, moles in the data entry land are tracked
(since every person they look up is tracked by the master). Moles at
the admin level is always possible, but I think that making the master
very resistant to physical breach takes the danger out of data loss.
All you get is vandalism then, rather than whole-sale theft.
If the critical importance of the key is understood by the admin, it's
much less to teach. Rather than a long list of things they
should/shouldn't do, this is simple: never ever give this key to anyone.
Not over the phone, not in person, don't write it down, don't send it in
email. And the passphrase entry system could be set up using an
on-screen set of letter selectors, to help avoid passive keyboard and
monitor EM scanning, for the REALLY paranoid. You enter the passphrase
with arrow keys, starting with a randomized set of letters on the
If the master is treated as an appliance, then it's only the data that
is important. With the encrypted backups, if you lose the appliance,
you just set up another one and restore the data. The goal would be to
not have any admin actions needed on the machine.
Kees Cook @outflux.net