Re: [dev] Disk encryption

From: Markus Wichmann <nullplan_AT_gmx.net>
Date: Fri, 17 Jun 2022 06:11:10 +0200

On Thu, Jun 16, 2022 at 08:18:16PM +0300, an2qzavok wrote:
> >do not roll your own crypto
> I believe this refers only to inventing your own algorithm, just
> writing your own implementation of existing and tested algorithms is
> fine.
>

As I tried to point out with the MAC example, cryptography is full of
subtleties. Even using proven algorithms and plugging them together
inexpertly can create an insecure system. In that example, someone had
used AES in CBC mode with FIPS padding and some SHA-2 HMAC. All of these
were state of the art when the system was designed, and some still are.

> Though, is encrypted root partition even desirable?
> Since it only keeps your data safe when your machine is powered off, I
> always thought of system disk encryption as snake oil at worst and at
> best just not worth the effort.
>

Snake oil refers to a means that does not do what it says it will. Virus
scanners are snake oil because they cannot possibly detect all malware
prior to execution, and then the system is compromised. Malware removal
is snake oil, because it attempts to fix a compromised system while you
don't know what components have been compromised. So how can you have
any confidence in the result? Anything the program uses to find malware
may also have been compromised.

Disk encryption is not a snake oil. It will prevent your data from being
stolen when the system is off. This is useful, for example, for a
laptop, or in case you are worried about burglars or law enforcement
taking your computer. It will not help you with exploits targetting any
software you have running, yes, but there are other tools for that.

Ciao,
Markus
Received on Fri Jun 17 2022 - 06:11:10 CEST

This archive was generated by hypermail 2.3.0 : Fri Jun 17 2022 - 06:24:08 CEST