First off, I'm not even sure if drive encryption is all that useful.
I've been very good w/ physical security anyway, never leaving laptops unattended outside of home/office, though I'm considering getting a cable lock so I don't have to pack up the laptop just to go to the restroom or whatever (this should be sufficiently secure for 5 minutes or so right?). I *have* left laptops in hotel rooms when traveling out of necessity (fairly impractical to carry heavy laptops around, although the T61 should be an improvement in weight), although that isn't very often (once a year?).
As for info lying around, how safe is Firefox's master password? The other open password lying around would me my mail one for mail checking applets, plus some potential leakage from being careless. Source code for research software from GMU doesn't seem to sound like something of criminal interest (stuff from Unisys might, but that's on it's own laptop, which I don't setup, and shouldn't be taken outside home/office). SSH keys have their own password so they should be okay.
Given this, is there a point to enabling partition encryption? It seems like a massive hassle, for little gain given. I've seen Xon go off on saying people who don't enable FDE are idiots, etc....
Having said that, if encryption is desired, anyone have any recommendations for some kind of drive/filesystem encryption on Linux?
I think encrypting only /home, /tmp, and swap should be sufficient- is this correct?
Available options I know of seems to be Truecrypt, dm-crypt, encfs which doesn't encrypt the block device, but just files, ecryptfs which seems similar to encfs in functionality but has TPM/TCPA support. The non FDE ones like encfs probably require an encrypted swap/tmp (I just make a big swap and use ramdisk for /tmp), which makes hibernate impossible, while I believe the other will prompt on resume.
Does the TPM/TCPA chip do any hardware crypto acceleration, and any real benefits? Most of the solutions above don't support it except ecryptfs, which doesn't encrypt block devices How much of a performance hit should be expected? Not supporting the TPM chip isn't all that big a deal yes?
On the Windows side, does Vista Business contain Bitlocker?
Laptop drive encryption? Lots of questions.
Moderator: Thanas
Laptop drive encryption? Lots of questions.
Last edited by Pu-239 on 2008-07-22 06:47am, edited 1 time in total.
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
- Zac Naloen
- Sith Acolyte
- Posts: 5488
- Joined: 2003-07-24 04:32pm
- Location: United Kingdom
The only Vista with Bitlocker is Ultimate and Enterprise.
I know this due to having just completed MCTS in Vista
Other than that, i've used true crypt in the past but i've never had one of these systems actually tested so I can only attest to it's ease of use.
I know this due to having just completed MCTS in Vista
Other than that, i've used true crypt in the past but i've never had one of these systems actually tested so I can only attest to it's ease of use.
Member of the Unremarkables
Just because you're god, it doesn't mean you can treat people that way : - My girlfriend
Evil Brit Conspiracy - Insignificant guy
FDE seems like a huge amount of effort for very little gain, imo. And with the recent release of the Cold Boot Attack tools, the benefit is questionable. Of course your average thief isn't after company secrets or what have you and would probably just go "oh, it's broken" when he can't boot it and try to get rid of it. Maybe install a daemon that reports the laptops current WAN address to a web site somewhere, so if it get's stolen you can maybe figure out where it is or who has it.
As for firefox, the password manager stores the master password and key in the same file (:roll: illusion of security?). I'm not sure about the profile passwords, I think the security is better there, with the algorithm being 3DES. A paper on attacking triple DES, if your interested: http://th.informatik.uni-mannheim.de/Pe ... des.pdf.gz
Of course, my points are only relevant if whoever steals it know's what they are doing, I somehow doubt the average thief wants it for anything more than to sell or use to check their mail and browse porn. Of course they might also use the info for identity theft... so home and tmp encryption couldn't hurt.
As for firefox, the password manager stores the master password and key in the same file (:roll: illusion of security?). I'm not sure about the profile passwords, I think the security is better there, with the algorithm being 3DES. A paper on attacking triple DES, if your interested: http://th.informatik.uni-mannheim.de/Pe ... des.pdf.gz
Of course, my points are only relevant if whoever steals it know's what they are doing, I somehow doubt the average thief wants it for anything more than to sell or use to check their mail and browse porn. Of course they might also use the info for identity theft... so home and tmp encryption couldn't hurt.
“Most people are other people. Their thoughts are someone else's opinions, their lives a mimicry, their passions a quotation.” - Oscar Wilde.
- Zac Naloen
- Sith Acolyte
- Posts: 5488
- Joined: 2003-07-24 04:32pm
- Location: United Kingdom
I don't see much point in FDE, just put all the data you want protected into a folder and encrypt that.
Great thing about TrueCrypt is that you can disguise it as a .avi file or whatever.
Great thing about TrueCrypt is that you can disguise it as a .avi file or whatever.
Member of the Unremarkables
Just because you're god, it doesn't mean you can treat people that way : - My girlfriend
Evil Brit Conspiracy - Insignificant guy
Zac Naloen wrote:I don't see much point in FDE, just put all the data you want protected into a folder and encrypt that.
Great thing about TrueCrypt is that you can disguise it as a .avi file or whatever.
The thing is lots of apps tend to be "leaky" and dump unencrypted temp files everywhere
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor