Re: [Discuss] Full disk encryption, why bother?
On 1/3/2012 11:56 PM, Bill Bogstad wrote: I just heard about a company selling a product to maintain power on seized computers while you transport them: http://www.wiebetech.com/products/HotPlug.php It came up in the context of moving servers from one power jack to another one due to data center power changes. (Someone wanted to avoid downtime.) Anyone buying this device would do well to have paid-up life insurance: the company is selling a UPS, but they're also selling cheater cords that allow their UPS to power a live outlet with a double-male connection cord, and that's flat-out dangerous. Bill -- Bill Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
On 1/3/2012 10:32 PM, Tom Metro wrote: Ummm...yeah. You do realize that in order to use your data you need to decrypt it, right? :-) Yeah, but that data remains local within hopefully protected memory areas. Bacukps usually run to external storage of some sort, be they flash drives or NAS or what have you. Take the Firewire or USB link bewteen a Macintosh and its Time Machine disk. This link is completely unauthenticated and unsecured. An attacker could tap that connection without any difficulty. There are ways to deal with this but they add complexity to the backup system. The more complex you make the backup system, the more difficult you make it to use. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/03/2012 08:50 AM, Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish (just check the box during installation) and maintain and on a multi-core desktop does not affect performance. An update from Fedora 13 to 16 did damage the boot record and make the disk unreadable, so I wouldn't try doing an update again. For a non-networked machine there isn't much need for updates, anyway. FWIW, I've upgraded multiple Fedora boxes where everything but the /boot partition was encrypted several times. I never had any issues. There are two potential problems I can think of that you might have tripped over. First, you skipped too many releases; they generally only support skipping 1 release on upgrades I think (so 14-16 is ok, but 13-16 is not tested at all). The other issue that I ran into on an F16 upgrade recently was completely unrelated to encryption (ie this box did not use encrypted anything). Grub2 refused to install, giving a message: /sbin/grub2-setup: warn: Your embedding area is unusually small. core.img won't fit in it.. /sbin/grub2-setup: warn: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.. /sbin/grub2-setup: error: will not proceed with blocklists. Turns out (luckily) this error didn't corrupt anything, and in fact left the old grub1 install in-tact in the MBR. So i just had to copy the kernel boot lines to the old grub.conf and I was good to go. Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Wed, Jan 04, 2012 at 09:24:47AM -0500, Bill Horne wrote: Anyone buying this device would do well to have paid-up life insurance: the company is selling a UPS, but they're also selling cheater cords that allow their UPS to power a live outlet with a double-male connection cord, and that's flat-out dangerous. It's not a UPS. You have to supply your own UPS to power their capture unit. And it doesn't appear to power the outlet until after the mains power is cut. That's the Patent-pending technology part I suppose. -ben -- be alone, that is the secret of invention; be alone, that is when ideas are born.nikola tesla ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/03/2012 11:46 PM, Eric Chadbourne wrote: gpg, virtualbox and /home encryption. only santa knows what i'm doing and he doesn't care. ...because you're permanently on the naughty list? :-P ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Wed, Jan 4, 2012 at 1:39 PM, Ben Eisenbraun b...@klatsch.org wrote: On Wed, Jan 04, 2012 at 09:24:47AM -0500, Bill Horne wrote: Anyone buying this device would do well to have paid-up life insurance: the company is selling a UPS, but they're also selling cheater cords that allow their UPS to power a live outlet with a double-male connection cord, and that's flat-out dangerous. It's not a UPS. You have to supply your own UPS to power their capture unit. And it doesn't appear to power the outlet until after the mains power is cut. That's the Patent-pending technology part I suppose. My guess is that they basically have boxed up just the switching portion of a standby (offline) UPS. Not all systems like that kind of UPS. OTOH, many cheap UPS do it that way so it clearly works well enough for many uses. The videos where you go into the wall and clip wires or pull a plug partially out of a sock are potentially dangerous, but don't seem too bad as long as you are careful. Bill Bogstad ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
Starts sounding like it might be best to get a system like off-the-grid folks have, where they run inverters full time from batteries, and charge the batteries from whatever is available (PV solar, generators, wind, tractor/generators, steam engine/generators, or even just charger from the grid, etc) homepower.com has Home Power magazine that has lots of power solutions. Also, cheap inverters tend to make square or 'blocky' type AC current, where good 'full sign wave' inverters make 'good looking' power that most devices handle without any issue. Some UPSes have the same problem. I hope this helps some folks... ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/04/2012 04:23 PM, Daniel Feenberg wrote: On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for private home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Does this work with UEFI BIOS motherboards? Does anything? It's sort of orthogonal to UEFI I think; the secure boot mode of UEFI really just controls launching of the bootloader. It doesn't encrypt/decrypt anything, it's just check-summing and then executing. Am I wrong? Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 4, 2012, at 1:31 PM, Matthew Gillen wrote: Fedora allows you to do whole partition/volume encryption with the installer very easily. Fedora does so using dm-crypt/LUKS which can encrypt arbitrary block devices. Fedora provides the option to encrypt entire disks or individual partitions. Ubuntu uses eCryptfs on top of the native file system to provide file-level encryption. Two very different approaches. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/04/2012 04:23 PM, Daniel Feenberg wrote: On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for private home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Does this work with UEFI BIOS motherboards? Does anything? It's sort of orthogonal to UEFI I think; the secure boot mode of UEFI really just controls launching of the bootloader. It doesn't encrypt/decrypt anything, it's just check-summing and then executing. From my experience, Truecrypt and Compusec are incompatible with UEFI BIOS, and the Winmagic (Securedoc) documentation mentions this limitation explicitly. Those are all Windows programs, and I expect Linux could be quite a different situation, but in the absence of any visible information on the topic, I have no idea. Presumably there would be no interference with non-boot partitions, but what about boot partitions? I would leave the boot partition unencrypted, but I already signed agreements promising FDE for the machines, not realizing that UEFI would make that difficult. Daniel Feenberg Am I wrong? Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/02/2012 08:10 PM, Chris O'Connell wrote: The password used to decrypt the disk and log in to Windows is the same. Thus the process is more transparent for users. Instead of having to enter two (sometimes unrelated) passwords with Truecrypt, BitLocker users only enter one password. Same with Symantec PGP. As a matter of fact I have a BIOS password, as well as a PGP as well as computer password as well as IBM intranet password. When I log into PGP, it also logs me into the system. The BIOS password is intermittent. Sometimes it requires it sometimes not. At the IBM training webinar the presenter suggestd using the same passwords for all. However I have a different password for Lotus Notes because the password rules are different. In any case, next time I change my passwords, I'll coordinate all of them. -- Jerry Feldman g...@blu.org Boston Linux and Unix PGP key id:3BC1EB90 PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Mon, 2 Jan 2012, Tom Metro wrote: The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own We have a dozen or so machines with data supplied on the condition that they not be networked and be fully encrypted. They are used intermittently and the fear (of the data sources) is they might be stolen. I don't see much point in encrypting data on a network server - if the disk is mounted then the plain-text is available to an intruder and the addition of an encrypted version doesn't enhance security. For a standalone machine, it does seem to offer us protection against getting in trouble with the state of Massachusetts over disclosure of financial data should the system be lost or mislaid. That is valuable to us. We have both Fedora and Windows machines. The built-in Fedora encryption is no trouble to establish (just check the box during installation) and maintain and on a multi-core desktop does not affect performance. An update from Fedora 13 to 16 did damage the boot record and make the disk unreadable, so I wouldn't try doing an update again. For a non-networked machine there isn't much need for updates, anyway. On Windows, we have never used bitlocker, but have good experience with Compusec. http://www.ce-infosys.com/english/free_compusec/free_compusec.aspx It is extrememly easy to install and I like the ability to add an administrative password in case the user forgets the user password. It was not compatible with software RAID. I have used Truecrypt, but am put off by the documentation, which suggests that the primary purpose of encryption is to avoid police inspection. As xkcd pointed out, this is hopeless ( http://xkcd.com/538/ ). In both cases, I would like to see the encryption password (not the login password) used to unlock the screen (and reestablish decryption), but this does not seem to be available. My understanding is that the underlying encryption systems make password guessing by brute force extremely slow, so that frequent password changes are not required, not that all agencies agree. Daniel Feenberg ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Jim Gasek there is a performance hit. There may be a performance hit in some situations, but not on modern or decent computers with decent encryption. I have two points to back this up: I have a Core2 laptop running windows. I benchmarked it before enabling bitlocker, and again after enabling bitlocker. I found the performance was equal in both situations, but when bitlocker was enabled, I had 30-35% increase cpu load. In later processors (i7 for example) they support the AES instruction set, which reduces this by 1-2 orders of magnitude, which means there is no significant performance difference. The more likely scenario will be that people in corporate situations will be forced to use it. And then you won't like it. I deploy bitlocker and filevault to all my users, and they don't notice it or care. Except some - Some people demand it explicitly because they are concerned about their data being stolen. Nobody is opposed to it. Not a single person. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. First of all, the supposed 30% performance hit takes you down from 200% to 170% performance as compared to an HDD (or whatever arbitrary numbers we want to make up for comparing HDD vs SSD performance where SSD performance HDD performance). Second of all, some OSes support TRIM on encrypted drives. They just reduce the size of disk they consume by some percentage, and TRIM the unused blocks as necessary, so there are always some blocks available for use that have been TRIM'd. Third of all, some SSD's support the virtual size reduction as above, but do it at the hardware level, so there are always TRIM'd blocks available. In any of the above scenarios, the end result is no significant performance degradation on SSD's caused by TRIM vs Encryption. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro What makes Microsoft BitLocker better than TrueCrypt? Each is better in its own way. Bitlocker is better if you're an IT person who wants to protect your internal users from external attackers, and you want to ensure you're still able to access the internal users' data, if the internal user goes away for some reason. It's easy for you to deploy and control centrally, and users don't notice it or complain about it. Bitlocker is easier to use - No password necessary at boot time. The TPM performs some system biometrics (checksum the BIOS, serial number, various other magic ingredients, and only unlock the hard drive if the system has been untampered. Therefore you are actually as secure as your OS.) Truecrypt is better if you are a user, who cannot trust his IT people. You want to keep the kiddie porn, the plans for the remote government's nuclear program secret from all people, period. Are you using full disk encryption? If so, what tool are you using? I am using Truecrypt on windows. Filevault on OSX Lion. Nothing on OSX Snow Leopard. Nothing on linux. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
A couple of more supporting links regarding TRIM and wear-leveling (from Truecrypt): http://www.truecrypt.org/docs/?s=trim-operation http://www.truecrypt.org/docs/?s=wear-leveling On Tue, Jan 3, 2012 at 12:21 PM, Chris O'Connell omegah...@gmail.comwrote: That has not been my experience at all. I have personally encrypted two machines that had SSD drives, both had modern CPUS, one was an I3 and one an I7. There was a substantially noticeable decrease in performance using TrueCrypt. In fact, the wait times increased so much after encrypting that I grew impatient waiting for boot times and Microsoft Office load times. This article has some scientific testing regarding performance on SSD drives that are encrypted: http://media-addicted.de/ssd-and-truecrypt-durability-and-performance-issues/744/ On Tue, Jan 3, 2012 at 12:07 PM, Edward Ned Harvey b...@nedharvey.comwrote: From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. First of all, the supposed 30% performance hit takes you down from 200% to 170% performance as compared to an HDD (or whatever arbitrary numbers we want to make up for comparing HDD vs SSD performance where SSD performance HDD performance). Second of all, some OSes support TRIM on encrypted drives. They just reduce the size of disk they consume by some percentage, and TRIM the unused blocks as necessary, so there are always some blocks available for use that have been TRIM'd. Third of all, some SSD's support the virtual size reduction as above, but do it at the hardware level, so there are always TRIM'd blocks available. In any of the above scenarios, the end result is no significant performance degradation on SSD's caused by TRIM vs Encryption. -- Chris O'Connell http://outlookoutbox.blogspot.com -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
From: Chris O'Connell [mailto:omegah...@gmail.com] (snipped and moved top post to bottom) On Tue, Jan 3, 2012 at 12:07 PM, Edward Ned Harvey b...@nedharvey.com wrote: ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. First of all, the supposed 30% performance hit takes you down from 200% to 170% performance as compared to an HDD (or whatever arbitrary numbers we want to make up for comparing HDD vs SSD performance where SSD performance HDD performance). Second of all, some OSes support TRIM on encrypted drives. They just reduce the size of disk they consume by some percentage, and TRIM the unused blocks as necessary, so there are always some blocks available for use that have been TRIM'd. Third of all, some SSD's support the virtual size reduction as above, but do it at the hardware level, so there are always TRIM'd blocks available. In any of the above scenarios, the end result is no significant performance degradation on SSD's caused by TRIM vs Encryption. That has not been my experience at all. I have personally encrypted two machines that had SSD drives, both had modern CPUS, one was an I3 and one an I7. There was a substantially noticeable decrease in performance using TrueCrypt. In fact, the wait times increased so much after encrypting that I grew impatient waiting for boot times and Microsoft Office load times. Your first comment was about TRIM as it relates to SSD's. TRIM is only applicable for write performance. Your read performance is the same regardless of TRIM. Your second comment is about booting windows (a bunch of read operations) on SSD encrypted by truecrypt. If this performs poorly, it's because of truecrypt performing poorly, unrelated to SSD or TRIM. I previously commented, There may be a performance hit in some situations, but not on modern or decent computers with decent encryption. I would have expected truecrypt to perform well, and I am surprised that at least in your case, truecrypt is not what I am calling decent encryption. I don't know if perhaps there's a configuration issue you're able to change and correct... Upgrade to a later version of truecrypt, or change the encryption protocols (AES vs Serpent vs Blowfish etc). Perhaps there's a known issue where truecrypt performs poorly on certain types of hardware - I don't know. But I do know that I deploy bitlocker on SSD's to users, and it works great. You should expect it to work great, including truecrypt. If your performance is bad on truecrypt, I suggest tweaking it, I suggest trying something else (like bitlocker, if it's acceptable to you) and I suggest contacting the truecrypt guys for support. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
From: Chris O'Connell [mailto:omegah...@gmail.com] http://www.truecrypt.org/docs/?s=trim-operation Given: Truecrypt permits TRIM. And if you TRIM, an attacker may be able to identify some information, such as degrading your plausible deniability in some cases, or something like that. http://www.truecrypt.org/docs/?s=wear-leveling Given: Thanks to wear leveling, multiple copies of data may exist in storage. Given: If an attacker has access to multiple copies of encrypted data, it may reduce the work necessary for the attacker to decrypt the information. Now, following some logic, we conclude Never encrypt an SSD. Could you please explain the logic? It seems, running without encryption, you would give up far more than the above. You might want to revise your comment? Instead, Never use an SSD, because even with encryption, it's not secure enough for your taste? From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Perhaps the use of the word NEVER is too strong or misleading. From personal experience I can say that given the performance decrease using TrueCrypt on an SSD drive I would never encrypt an SSD drive using TrueCrypt. I haven't tried BitLocker on an SSD drive yet. You have really proven your point Ed! Chris On Tue, Jan 3, 2012 at 2:33 PM, Edward Ned Harvey b...@nedharvey.com wrote: From: Chris O'Connell [mailto:omegah...@gmail.com] http://www.truecrypt.org/docs/?s=trim-operation Given: Truecrypt permits TRIM. And if you TRIM, an attacker may be able to identify some information, such as degrading your plausible deniability in some cases, or something like that. http://www.truecrypt.org/docs/?s=wear-leveling Given: Thanks to wear leveling, multiple copies of data may exist in storage. Given: If an attacker has access to multiple copies of encrypted data, it may reduce the work necessary for the attacker to decrypt the information. Now, following some logic, we conclude Never encrypt an SSD. Could you please explain the logic? It seems, running without encryption, you would give up far more than the above. You might want to revise your comment? Instead, Never use an SSD, because even with encryption, it's not secure enough for your taste? From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Bill Horne wrote: Oa k'wala wrote: Any thoughts on the kind of security risk I might be vulnerable to because I only encrypt my home dir as opposed to the full disk? Many applications use /tmp or /var files as working storage, and they leave ghosts behind. As does swap. -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
Richard Pieri wrote: Tom Metro wrote: Are you using full disk encryption? I don't. I take care of my gear. I made this statement before: I see WDE as enabler for carelessness. The EFF article I quoted references a prior EFF article on border crossing inspections. The encouragement to encrypt was more for privacy than for theft prevention. As someone who goes through US Customs several times a year, this gives me some concern, albeit minor. You may think you have nothing to hide, but why open yourself up to a potential fishing expedition? With the way copyright laws are trending (see SOPA), it wouldn't surprise me if being caught with a downloaded broadcast TV show on your computer will someday result in felony charges. Never mind that I have a pair of Mac Minis playing server. Sometimes they need to be restarted remotely. Can't do that with WDE. I guess for that you'd need a console server. Daniel Feenberg wrote: I don't see much point in encrypting data on a network server - if the disk is mounted then the plain-text is available to an intruder and the addition of an encrypted version doesn't enhance security. It does if the intruder is physically stealing the disk drive or the server. This would also likely apply in a government seizure scenario. They'd likely remove the equipment from the premises first, and attempt access later. (Though maybe they've wised up to this possibility?0 So yeah, you're guarding against a highly unlikely scenario, but it still has some benefit. I have used Truecrypt, but am put off by the documentation, which suggests that the primary purpose of encryption is to avoid police inspection. As xkcd pointed out, this is hopeless ( http://xkcd.com/538/ ). [The cartoon makes the point that you can be tortured with a $5 wrench to give up your password, so your high-tech encryption is pointless.] But this is what plausible deniability is all about: http://www.truecrypt.org/docs/?s=plausible-deniability If you're in a situation where law enforcement *knows* you have something they want on your disk, you've got bigger problems than your choice of full disk encryption software. :-) -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
Richard Pieri wrote: And this is the great big rub with WDE: backups. File-level backups are decrypted when sent to the backup system unless the backup system itself re-encrypts everything. I'm not sure I see the big problem with backups, unless you simply find file-level backups undesirable in general. If you are performing backups while on your LAN, sending the data in the clear should be of minor concern. The backup system can then encrypt. If you are off-site, then use one of the backup systems that encrypt locally before sending the data over the wire. Systems like this are becoming increasingly common. -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
Richard Pieri wrote: And this is the great big rub with WDE: backups. File-level backups are decrypted when sent to the backup system unless the backup system itself re-encrypts everything. Generalizations galore! ;-) I suppose that depends on your choice of backup software, now doesn't it? In filevault, you have whole disk encryption, and in time machine, you have backup disk encryption too. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Tue, 3 Jan 2012, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an From http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption#Introduction_to_LUKS Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are: AES - Advanced Encryption Standard - FIPS PUB 197 twofish - Twofish: A 128-Bit Block Cipher serpent cast5 - RFC 2144 cast6 - RFC 2612 integrated solution? I believe Ubuntu has the same, haven't tried it or any other distribution. Daniel Feenberg -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 3, 2012, at 9:09 AM, Kyle Leslie wrote: One of the huge benefits I think is that the encryption keys/recovery keys can be stored in AD. So that if you need to unlock or change the drives around you don't need to have the user store that some place to get lost/stolen. It stores in AD and can be recovered when we need it. This is, of course, the singular benefit of key escrow. Of course, if your AD is compromised then the attacker has access to *all* of your escrowed keys. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Tue, Jan 3, 2012 at 5:01 PM, Tom Metro tmetro-...@vl.com wrote: ... Daniel Feenberg wrote: I don't see much point in encrypting data on a network server - if the disk is mounted then the plain-text is available to an intruder and the addition of an encrypted version doesn't enhance security. It does if the intruder is physically stealing the disk drive or the server. This would also likely apply in a government seizure scenario. They'd likely remove the equipment from the premises first, and attempt access later. (Though maybe they've wised up to this possibility?0 Well at least some of them have. I just heard about a company selling a product to maintain power on seized computers while you transport them: http://www.wiebetech.com/products/HotPlug.php It came up in the context of moving servers from one power jack to another one due to data center power changes. (Someone wanted to avoid downtime.) Bill Bogstad ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
[Discuss] Full disk encryption
The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. [...] Choosing a Disk Encryption Tool [...] -Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows. -TrueCrypt has the most cross-platform compatibility. -Mac OS X and most Linux distributions have their own full-disk encryption software built in. What makes Microsoft BitLocker better than TrueCrypt? Are you using full disk encryption? If so, what tool are you using? -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
No, I'm not for it. Just don't loose your laptop. Just don't leave your laptop, in the car, in high theft areas, like the Microcenter parking lot ;-( I've been at companies that demanded that everyone use it, and there is a performance hit. The one that we used was like a bios thing, it popped up and demanded the key before it would boot. If you have oodles of CPU and RAM, it is less annoying. The more likely scenario will be that people in corporate situations will be forced to use it. And then you won't like it. Thanks, Jim Gasek --- tmetro-...@vl.com wrote: From: Tom Metro tmetro-...@vl.com To: L-blu discuss@blu.org Subject: [Discuss] Full disk encryption Date: Mon, 02 Jan 2012 19:55:34 -0500 The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. [...] Choosing a Disk Encryption Tool [...] -Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows. -TrueCrypt has the most cross-platform compatibility. -Mac OS X and most Linux distributions have their own full-disk encryption software built in. What makes Microsoft BitLocker better than TrueCrypt? Are you using full disk encryption? If so, what tool are you using? -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
BitLocker claims a single digit percentage hit. Personally I've not noticed it. ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. On Mon, Jan 2, 2012 at 8:10 PM, Jim Gasek j...@gasek.net wrote: No, I'm not for it. Just don't loose your laptop. Just don't leave your laptop, in the car, in high theft areas, like the Microcenter parking lot ;-( I've been at companies that demanded that everyone use it, and there is a performance hit. The one that we used was like a bios thing, it popped up and demanded the key before it would boot. If you have oodles of CPU and RAM, it is less annoying. The more likely scenario will be that people in corporate situations will be forced to use it. And then you won't like it. Thanks, Jim Gasek --- tmetro-...@vl.com wrote: From: Tom Metro tmetro-...@vl.com To: L-blu discuss@blu.org Subject: [Discuss] Full disk encryption Date: Mon, 02 Jan 2012 19:55:34 -0500 The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. [...] Choosing a Disk Encryption Tool [...] -Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows. -TrueCrypt has the most cross-platform compatibility. -Mac OS X and most Linux distributions have their own full-disk encryption software built in. What makes Microsoft BitLocker better than TrueCrypt? Are you using full disk encryption? If so, what tool are you using? -Tom -- Tom Metro Venture Logic, Newton, MA, USA Enterprise solutions through open source. Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 2, 2012, at 7:55 PM, Tom Metro wrote: What makes Microsoft BitLocker better than TrueCrypt? ... because it protects against more attack modes than other software. Are you using full disk encryption? If so, what tool are you using? I don't. I take care of my gear. I made this statement before: I see WDE as enabler for carelessness. We keep hearing about lost notebooks with sensitive information on them. If the bearers of those notebooks weren't so careless then their notebooks wouldn't have been lost in the first place. Better still, if the data on those laptops were kept on secure servers with controlled VPN access instead of on portable equipment then loss of that portable equipment wouldn't be an issue. Legacy FileVault restore is a PITA. You can't restore normally. You either restore the entire sparsebundle for the user's home directory or mount the backup volume and pluck out files by hand. FileVault2 addresses this because it is a WDE system, but FV2 has its own issues. And this is the great big rub with WDE: backups. File-level backups are decrypted when sent to the backup system unless the backup system itself re-encrypts everything. One MITM attack and everything is compromised. Container and block backups require restoring the entire container or block device; they can't be used to restore single files, at least not without great difficulty, and block device (bare metal) restores usually need to restored to identical hardware to work correctly. I had TrueCrypt WDE on my netbook and BitLocker on my gaming rig at home. I ripped them out because of the backup/restore hassles. The perception of security just isn't worth it. Never mind that I have a pair of Mac Minis playing server. Sometimes they need to be restarted remotely. Can't do that with WDE. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
What makes Microsoft BitLocker better than TrueCrypt? I've used TrueCrypt; no experience w/ BitLocker. Are you using full disk encryption? If so, what tool are you using? I use Ubuntu which allows encryption of the home directory. I keep all of my personal/sensitive stuff in the home directory, so I figured encrypting the home dir would be enough. The decryption happens upon login and my password is sufficiently long. Any thoughts on the kind of security risk I might be vulnerable to because I only encrypt my home dir as opposed to the full disk? I recently came across advice to use cascading encryption, which I understand to mean nesting encryption, where each is a different kind (aes, blowfish, etc.) This seems overkill for most folks. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 1/3/2012 12:16 AM, a k'wala wrote: Any thoughts on the kind of security risk I might be vulnerable to because I only encrypt my home dir as opposed to the full disk? Many applications use /tmp or /var files as working storage, and they leave ghosts behind. Bill -- Bill Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
