[sf-lug] Full Disk Encryption options?

Tom Haddon tom at greenleaftech.net
Sun Mar 23 23:53:05 PDT 2008

On Sun, 2008-03-23 at 18:11 -0700, Kristian Erik Hermansen wrote:
> On Sun, Mar 23, 2008 at 3:09 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> >  Hope this isn't too irrelevant, but why would you want to do full disk
> >  encryption? You're slowing down your machine by forcing it to do extra
> >  processing and you're encrypting many many files that are publicly
> >  available and don't have any personal information in them. I don't
> >  really see the point of encrypting /usr/bin, /usr/sbin, /usr/lib, /lib,
> >  etc...
> >
> >  Why not just encrypt the stuff that's specific to you?
> That's a great question Tom.  There are a few reasons.  Let's just
> assume for a moment that I only encrypt /home, so that all my user
> data is protected.  I leave for lunch and some guy happens to snag my
> laptop for the hour I am gone.  During this hour, he is able to boot
> my machine with a LiveCD and plant a backdoor libc library that does
> bad stuff.  I log into my computer after lunch.  Upon running some
> applications, unbeknownst to me, data is being leaked out to the
> attacker.  

Interesting, hadn't thought of that as a possibility before. On the
other hand, you could just set your BIOS to have a boot option password
so that someone can't boot from a different device than the one intended
without a password.

Cheers, Tom

> Maybe he modified some read() calls to simultaneously proxy
> the data out to a remote host.  Even if I had specific documents
> encrypted again within the partition, the data would be unencrypted on
> the fly and passed in plain text to read().  Who knows what an
> attacker might do...heh.  This is why FDE is important.  Perhaps
> Ubuntu can work it into the next LTS release two years from now,
> whatever that solution might be :-)

More information about the sf-lug mailing list