[sf-lug] Full Disk Encryption options?
Tom Haddon
tom at greenleaftech.net
Sun Mar 23 23:53:05 PDT 2008
On Sun, 2008-03-23 at 18:11 -0700, Kristian Erik Hermansen wrote:
> On Sun, Mar 23, 2008 at 3:09 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> > Hope this isn't too irrelevant, but why would you want to do full disk
> > encryption? You're slowing down your machine by forcing it to do extra
> > processing and you're encrypting many many files that are publicly
> > available and don't have any personal information in them. I don't
> > really see the point of encrypting /usr/bin, /usr/sbin, /usr/lib, /lib,
> > etc...
> >
> > Why not just encrypt the stuff that's specific to you?
>
> That's a great question Tom. There are a few reasons. Let's just
> assume for a moment that I only encrypt /home, so that all my user
> data is protected. I leave for lunch and some guy happens to snag my
> laptop for the hour I am gone. During this hour, he is able to boot
> my machine with a LiveCD and plant a backdoor libc library that does
> bad stuff. I log into my computer after lunch. Upon running some
> applications, unbeknownst to me, data is being leaked out to the
> attacker.
Interesting, hadn't thought of that as a possibility before. On the
other hand, you could just set your BIOS to have a boot option password
so that someone can't boot from a different device than the one intended
without a password.
Cheers, Tom
> Maybe he modified some read() calls to simultaneously proxy
> the data out to a remote host. Even if I had specific documents
> encrypted again within the partition, the data would be unencrypted on
> the fly and passed in plain text to read(). Who knows what an
> attacker might do...heh. This is why FDE is important. Perhaps
> Ubuntu can work it into the next LTS release two years from now,
> whatever that solution might be :-)
More information about the sf-lug
mailing list