[sf-lug] Full Disk Encryption options?
Kristian Erik Hermansen
kristian.hermansen at gmail.com
Sun Mar 23 18:11:06 PDT 2008
On Sun, Mar 23, 2008 at 3:09 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> Hope this isn't too irrelevant, but why would you want to do full disk
> encryption? You're slowing down your machine by forcing it to do extra
> processing and you're encrypting many many files that are publicly
> available and don't have any personal information in them. I don't
> really see the point of encrypting /usr/bin, /usr/sbin, /usr/lib, /lib,
> etc...
>
> Why not just encrypt the stuff that's specific to you?
That's a great question Tom. There are a few reasons. Let's just
assume for a moment that I only encrypt /home, so that all my user
data is protected. I leave for lunch and some guy happens to snag my
laptop for the hour I am gone. During this hour, he is able to boot
my machine with a LiveCD and plant a backdoor libc library that does
bad stuff. I log into my computer after lunch. Upon running some
applications, unbeknownst to me, data is being leaked out to the
attacker. Maybe he modified some read() calls to simultaneously proxy
the data out to a remote host. Even if I had specific documents
encrypted again within the partition, the data would be unencrypted on
the fly and passed in plain text to read(). Who knows what an
attacker might do...heh. This is why FDE is important. Perhaps
Ubuntu can work it into the next LTS release two years from now,
whatever that solution might be :-)
--
Kristian Erik Hermansen
--
"Only those who dare to fail greatly can ever achieve greatly."
More information about the sf-lug
mailing list