Mike Belopuhov wrote: > On Wed, May 17, 2017 at 12:42 -0400, Ted Unangst wrote: > > Stefan Sperling wrote: > > > I also have some machines which are affected by this, and I am > > > not sure what to about it. I cannot judge the advantages of > > > either AES implementation. > > > > There's very little advantage to a constant time implementation for disk > > encryption. The threat model doesn't really include such side channels. > > > > This is simply not true if you have local users on the same box. > http://www.cs.tau.ac.il/~tromer/papers/cache.pdf
I think we've reached agreement regarding reverting XTS, but for the benefit of anyone following along at home or who might find this thread later... The insider threat where I have some hostile user on my computer, who runs some code to extract the disk key, then this user physically steals the computer to recover data... I would say far fetched, but let's just go with minority threat. For most people, the threat is leaving a laptop bag in a taxi, or getting burlged, or going through customs. Like 90%. 99% even? No insider threat here. Another very popular use case doesn't even involve a threat. It's very easy to repurpose a machine/disk that uses full disk encryption. Change the key, and you've instantly wiped the disk. Personally, this is the main reason I use and advocate everyone use disk encryption. It's not about machines being stolen, but about machines I plan to give away in the future.
