View previous topic :: View next topic |
Do you use full disk encryption on your laptop/portable? |
Yes, and it has AES-NI extensions, encryption accelerator, or the like. |
|
47% |
[ 9 ] |
Yes, and it does not have special instructions for encryption. |
|
15% |
[ 3 ] |
No, it's too much overhead |
|
21% |
[ 4 ] |
No, too much work to set up |
|
10% |
[ 2 ] |
No, I don't have a portable machine to get stolen. |
|
5% |
[ 1 ] |
|
Total Votes : 19 |
|
Author |
Message |
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4152 Location: Bavaria
|
Posted: Tue Dec 06, 2022 10:02 pm Post subject: |
|
|
szatox,
I know you have a great IT knowledge and experience, and I know you know what FDE can. I am not against FDE at all (as you can see I have searched for a FDE solution); I am "only" not a friend, because it let unexperienced people think false about security (yes, I know somebody who thought he is now safe against any hacks). To these people (not to you) I want say: First harden your kernel, then build SELinux or AppArmor, use a firewall and build IMA (integrity management) and THEN think about FDE ...
But in one point I must contradict:
szatox wrote: | [...] but fde is easier to setup, [...] |
fscrypt is easier !
( https://forums.gentoo.org/viewtopic-p-8629644.html#8629644 )
BTW: No, ...
szatox wrote: | Losing a few CPU cycles is not nearly enough of a downside to not encrypt system if you want to use any disk encryption at all. |
... I dont care about this; all modern CPU's have aes and therefore it costs almost nothing. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Dec 06, 2022 11:39 pm Post subject: |
|
|
Still people using not modern CPUs... :( _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
wowpetr n00b
Joined: 12 May 2018 Posts: 12
|
Posted: Thu Jan 05, 2023 1:49 am Post subject: |
|
|
I have deniable encryption on my laptop. It has two SSDs. The first SSD is Windows without any encryption. The second is Gentoo with full disk encryption Luks2 without any partitions and with detached header. So no one can say there's something on the second drive it looks like uninitialised empty drive. I have a usb flash drive that has /efi, /boot and luks2 partition with the header and the key inside it that are used to unlock my second SSD drive while booting from usb. So if the usb flash drive is attached the laptop boots the Gentoo from the second SSD, but if it's not attached then Windows booting. This way you can always tell that there is nothing on the second disk and you are not using it - Deniable encryption. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Jan 05, 2023 7:36 am Post subject: |
|
|
I'd venture to say that drives that look like random gobbeldygook is a candidate for being an encrypted volume no matter what - rarely do people keep a disk with random data on it, it's either blank with 0's or has something on it.
Anything else is "sus" ... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
wowpetr n00b
Joined: 12 May 2018 Posts: 12
|
Posted: Thu Jan 05, 2023 2:28 pm Post subject: |
|
|
eccerr0r wrote: | I'd venture to say that drives that look like random gobbeldygook is a candidate for being an encrypted volume no matter what - rarely do people keep a disk with random data on it, it's either blank with 0's or has something on it.
Anything else is "sus" ... |
Of course, if the laptop falls into the hands of specialists, they may suspect that the disk is encrypted, but they cannot prove it without the flash drive. If the laptop falls into the hands of ordinary people, then they will most likely decide that the disk is empty. |
|
Back to top |
|
|
lagalopex Guru
Joined: 16 Oct 2004 Posts: 562
|
Posted: Thu Jan 05, 2023 7:15 pm Post subject: |
|
|
This being about mobile computers, has anyone used clevis and tang for network bound disk encryption?
So you dont need to type your luks password as long as you are in your home network with the corresponding tang server, so you gain some comfort back at least when at home.
Both are available in the guru overlay: app-crypt/clevis and app-crypt/tang |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2008
|
Posted: Wed May 10, 2023 8:44 am Post subject: |
|
|
Necropost:
Just found an "interesting" feature of fscrypt.
In general, having my home directories each encrypted and unlocked via logon password works well for me: no problems with mail or anything, and when I'm signed in, everything's visible.
However, yesterday I decided to "release" a shell script from a testing user's "bin" directory to the wild, "/usr/local/bin". So I did: Code: | mv bin/foo /usr/local/bin |
and everything worked fine. Tested it from another userid, still fine. Logged out. Came back later. Tried to run it from another userid. "foo: Required key not available"! WTF?
Ah, fscrypt encryption goes with the file. Moving the file doesn't change anything; it's only decrypted if I'm signed on. I should have used "install", which would have copied the file, not "mv".
There's inconsistent behaviour here. If I move a file between /tmp (on tmpfs) and my home directory, no problem because the differing filesystems mean move is copy+delete, and the "moved" copy gets encrypted/decrypted as appropriate. But moving files between /var/tmp and my home, both on the same filesystem, means move is real, and we get assymetric behaviour: the file gets encrypted on moving to home, but remains encrypted when moving back to /var/tmp. Thus:
Code: | paul@hp ~ $ echo "fred"> /var/tmp/foo
paul@hp ~ $ fscrypt status /var/tmp/foo
[ERROR] fscrypt status: file or directory "/var/tmp/foo" is not encrypted
paul@hp ~ $ mv /var/tmp/foo .
paul@hp ~ $ fscrypt status foo
"foo" is encrypted with fscrypt.
Policy: 3f390990b1cbd1b430aca924a9328717
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
32c2f987c82ad4d3 No login protector for paul
paul@hp ~ $ mv foo /var/tmp
paul@hp ~ $ fscrypt status /var/tmp/foo
"/var/tmp/foo" is encrypted with fscrypt.
Policy: 3f390990b1cbd1b430aca924a9328717
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes
Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
32c2f987c82ad4d3 No login protector for paul | Doing the same but on /tmp (tmpfs) produces an unencrypted "/tmp/foo". _________________ Greybeard |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sat May 20, 2023 4:29 pm Post subject: |
|
|
I don't encrypt my laptop because I use it for testing. I don't keep any data on it because I have 3 other systems that contains my data. The critical data is backed up to an external hard drive that's encrypted and locked in a safe. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|