-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tracy R Reed wrote:
> I am beginning to think that every laptop should have an encrypted > filesystem. If the laptop gets stolen it's no big deal. You only lose > the hardware and not your data to identity thieves Simply setting a non-trivial SMART HD password would prevent the casual thief, interested primarily in your hardware, from accessing your data. Yes, I know it can be broken, or the platter removed, but it costs more to do that than the thief would possibly get for the laptop. If someone is specifically after your data, easy to put a camera in your room, a snoop on your keyboard, lift your prints off of your coffee cup, or whatever. > (which you have safely backed up at home, right?). Safely backed up at home on your USB hard drive which is stolen in a break-in by teenagers ? Of course, there's 'tar -cvf - [dirs] | gpg -c \> [backupfile.gpg'. > If this were common practice it would end all of these stories about > peoples SSN's and secret government data being lost with laptops. This is of more than casual interest to me since: (1) I've had two laptops stolen in the past 5 years, (2) I've been getting these sheepish letters from the VA (as a vet whose data was lost), and (3) as a VA employee I am having to jump through all kinds of hoops for data security, most of which have little to do with security and are thought up by people with little understanding of same (e.g. only PKI encryption can be used for email transfer of data ... but the keys cannot be transmitted voa email --- i.e. they don't understand PKI at all --- and of course the only VA-approved encryption software is only for Windows platforms --- or a few selected ancient versions of unix/linux which you would be crazy to be running due to known vulnerabilities). I agree that all laptops should have encrypted disks, but disk encryption costs. I ran some tests on a system with dm-crypt using aes-essiv:sha256, and it slowed disk performance by a factor of 2-5x. Using encfs, performance slowed 12-20x compared to native reiserfs. Of course, this was also using encrypted swap and files larger than memory. In reading about encryption, it also looked to me like there were potential weaknesses in every disk encryption system for linux except loop-aes, and none except StegFS have plausible deniability. And AFAIK, no distribution offers installation to an encrypted root file system. Although with LUKS, dm-crypt and loop-aes can be set up to access, say, a thumb drive for the keys, which could easily be proved to be destroyed (hey, even I can't access my data), but then how do you prove you didn't have a backup (and who wouldn't) ? Perhaps it could be set up, as Stewart Stremler suggested, to automatically use different encrypted filesystems based on the password (try the password against all, use the first for which it works or report an error), or use encrypted systems within encrypted systems (performance degradation multiplies). But then where would the code for the "chooser" application reside ? It would be unencrypted, or encrypted with a single password which you must presumably know, so there goes plausible deniability. StegFS has plausible deniability, when used with multiple levels, but there is a real potential for accidental data loss. Dave Looney - -- The rotten apple often does not fall far from the rotten tree, and if you have a lot of rotten apples, who's caring for the orchard ? - Salmon Rushdie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFChpdNEZw+18StY8RAqg9AJ9KPLYiFge64r652il7skLbSF9o9gCfa/5A wjXzTUXGnX6aT/+oIUxhuJs= =vvOz -----END PGP SIGNATURE----- -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
