Being realistic however, if you offered 1000 random people a $1000 prize to get into your system, using the BIOS AES disk encryption, it's unlikely any of them would pull it off. With softraid, I am only lacking rootkit protection, by doing a sha1sum on my /altroot partition, from the encrypted system, during boot, which is simple enough to set up, but I have no reason to.
On Fri, Jul 20, 2012 at 9:12 PM, Robert Connolly < [email protected]> wrote: > I have been using softraid full disk encryption, with the exception of the > /altroot partition, on my laptop. I have no real threat. I just want it so > that if someone wants to go through my laptop, they can't without my > permission. With OpenBSD's full disk encryption, and a locking screen > saver, there is no known way into my system, with any amount of resources > available. The overhead isn't a problem unless I'm copying huge amounts of > data, which is rare. > > The very first thing that occurred to me when reading about your BIOS > level AES disk encryption is what is the weakest link in it. Cracking the > AES is the last thing anyone would want to do, assuming it's genuine. > Unless the implementation is open source, you could have something like a > password utility that only accepts 4 characters, even if you type 50, uses > the bios version for entropy, or other serious issues. There are > underground folks who will use all their resources to look for and find > such vulnerabilities, and we don't really know one way or the other if the > implementation is good, unless of course it is open source. > > > On Fri, Jul 20, 2012 at 2:12 AM, Wojciech Puchar < > [email protected]> wrote: > >> Many today SSD and some magnetic disks have AES-128/256 encryption >> builtin. >> >> If BIOS supports it, it ask for password then send it to hard disk after >> which it decodes it's AES key so it start to work. >> >> No software crypto overhead, everything fine. >> >> My question - how secure it really is. >> >> One extremity is to assume it is certainly well done. >> Another - that there are encryption at all, just simple password check. >> >> Both are possible as there is no way to check. >> >> I want your opinions. Software encryption would make quite a bit overhead >> for my setup.
