On 08/23/2018 01:35 PM, brendan.h...@gmail.com wrote: > On Thursday, August 23, 2018 at 10:30:17 AM UTC-4, Jonathan Seefelder wrote: >> If you keep wear-leveling in mind, and encrypt the ssd before you fill >> it with sensitive data, id suggest an ssd. Ideally, you should encrypt >> /boot also. > > I've posted recommendations on how to add hardware drive encryption on top of > Qubes' software encryption on this list before, so I won't repost that. > > In summary, > > Use an SSD that supports T13 ATA SANITIZE and TCG OPAL, and also remember to > enable trim in dom0 ( https://www.qubes-os.org/doc/disk-trim/ ). Enable HW > encryption (but also enable QUBES' software encryption). > > Bonus: using SSDs with the above features, when you are done with the system > you can instantly (< 2s) erase all user data on the SSD by issuing either an > ATA SANITIZE - CRYPTO SCRAMBLE EXT command or an OPAL PSID REVERT command > (the latter requires the code printed on the drive label). >
Anything TCG is bad news - it was spawned by microsofts project palladium "trusted computing" concept and it is not owner controlled. Do you trust proprietary closed source firmware to protect you? I don't - those kinds of things have many holes. There is no reason to use an SED drive. In terms of encrypting boot that is generally impossible without the use of coreboot so I suggest to obtain an owner controlled pre-PSP laptop G505S with owner controlled firmware enforced grub kernel code signing (you sign your own kernels, initramfs etc) its like MS's "secure" boot but it is actually secure because it is yours not theirs. The G505S has open cpu/ram init and people are apparently working on freeing the video/EC blobs but in the mean time IOMMU protects you. There is a nice little Qubes 4 G505S community. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4493cef5-dc3a-e4cf-3ee9-e164c5efbd82%40gmx.com. For more options, visit https://groups.google.com/d/optout.
0xDF372A17.asc
Description: application/pgp-keys
