Re: I got a good security one more ya.

On Fri, Mar 31, 2006 at 08:01:18AM +0100, curtis wrote:
You should look into encrypting your data you need private as UNIX based
permissions won't work really, well they do but 'root' on the other
machine could easily read it.

Look carefully, however.

If you do good encyption with a really good passphrase/key, the key
will be hard to remember. (By definition. Any key which is easy to
remember has little entropy and could yield to a brute force key
search by a motivated foe with money.)

If you do have a good key and encryption, if you lose your key, you
are completely hosed. There is no key recovery if you have a secure
system.

So there is the passphrase security/risk trade-off. Reuse a password
you use everywhere else and your security won't be so good.


A second consideration is reliability. If a normal disk volume has a
problem and slips a few bits, you can likely recover by running
"fsck". fsck will go over the disk, look at the broken data, and try
to put it back together; a little bit like when your checkbook doesn't
balance, you go back and check things, and fix the error.

In the case of encryption there are two layers. On the disk the data
is scrambled (so the bad guys can't read it), on top of that is the
encryption software and it presents us with a second layer, the
decrypted volume. The relationship between the decrypted data and the
encrypted data is very carefully contrived to be very messy. If an
error happens in the encrypted data (just one bit being flipped!) it
will spray across many unencrypted bits. This makes the job of fsck
much harder and you could lose your data.

Disclaimer 1: I have not experimented with corrupting encrypted data
and seeing what happens and how lethal it is. It might not be as bad
as I suggest, or it might be worse.

Disclaimer 2: I have not investigated the state of disk encryption to
know how much redundancy is build in specifically to deal with disk
corruption. It is possible the problem I describe is much reduced if
you make the right encryption choice.


-kb


--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Attack Scenarios against PGPs Whole Disk Encryption (WDE)
    ... Attack Scenarios against PGP's Whole Disk Encryption ... PGP's Whole Disk Encryption for Microsoft Windows encrypts all the ... As long as standard PC hardware and BIOS is used, the boot code of the disk ...
    (comp.security.pgp.tech)
  • RE: [Full-Disclosure] harddisk encryption
    ... If the encryptor encrypts your boot disk, it has to be involved early in the ... boot process and may be broken by anything that changes the system boot sequence. ... normally when the encryption keys had been entered. ... registry controls that allow the swap file to be wiped on shutdown. ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] harddisk encryption
    ... > boot process and may be broken by anything that changes the system boot ... In the event of disk crash or emergency, unless a tool is provided to ... > i'm evaluating a software that performs harddisk encryption for deploying ...
    (Full-Disclosure)
  • Widely Used Security Solutions Unable To Prevent Data Theft
    ... Innersafe Corporation, a data security company. ... a text editor exposed protected data on a PC running disk ... "Data theft from a PC is surprisingly easy. ... Disk encryption scrambles data on the disk so it cannot be unscrambled ...
    (alt.privacy)
  • Re: On the Recent PGP and Truecrypt Posting
    ... changing the passphrase would lock out prior users. ... Clearly a users with a backup copy of an encrypted disk for which they ... clear that real world users actually understand the need to re-encrypt ... You will also also see the architecture extend to some *very* cool storage encryption very soon. ...
    (Bugtraq)