Laptop drive encryption? Lots of questions.
Posted: 2008-07-22 06:35am
First off, I'm not even sure if drive encryption is all that useful.
I've been very good w/ physical security anyway, never leaving laptops unattended outside of home/office, though I'm considering getting a cable lock so I don't have to pack up the laptop just to go to the restroom or whatever (this should be sufficiently secure for 5 minutes or so right?). I *have* left laptops in hotel rooms when traveling out of necessity (fairly impractical to carry heavy laptops around, although the T61 should be an improvement in weight), although that isn't very often (once a year?).
As for info lying around, how safe is Firefox's master password? The other open password lying around would me my mail one for mail checking applets, plus some potential leakage from being careless. Source code for research software from GMU doesn't seem to sound like something of criminal interest (stuff from Unisys might, but that's on it's own laptop, which I don't setup, and shouldn't be taken outside home/office). SSH keys have their own password so they should be okay.
Given this, is there a point to enabling partition encryption? It seems like a massive hassle, for little gain given. I've seen Xon go off on saying people who don't enable FDE are idiots, etc....
Having said that, if encryption is desired, anyone have any recommendations for some kind of drive/filesystem encryption on Linux?
I think encrypting only /home, /tmp, and swap should be sufficient- is this correct?
Available options I know of seems to be Truecrypt, dm-crypt, encfs which doesn't encrypt the block device, but just files, ecryptfs which seems similar to encfs in functionality but has TPM/TCPA support. The non FDE ones like encfs probably require an encrypted swap/tmp (I just make a big swap and use ramdisk for /tmp), which makes hibernate impossible, while I believe the other will prompt on resume.
Does the TPM/TCPA chip do any hardware crypto acceleration, and any real benefits? Most of the solutions above don't support it except ecryptfs, which doesn't encrypt block devices How much of a performance hit should be expected? Not supporting the TPM chip isn't all that big a deal yes?
On the Windows side, does Vista Business contain Bitlocker?
I've been very good w/ physical security anyway, never leaving laptops unattended outside of home/office, though I'm considering getting a cable lock so I don't have to pack up the laptop just to go to the restroom or whatever (this should be sufficiently secure for 5 minutes or so right?). I *have* left laptops in hotel rooms when traveling out of necessity (fairly impractical to carry heavy laptops around, although the T61 should be an improvement in weight), although that isn't very often (once a year?).
As for info lying around, how safe is Firefox's master password? The other open password lying around would me my mail one for mail checking applets, plus some potential leakage from being careless. Source code for research software from GMU doesn't seem to sound like something of criminal interest (stuff from Unisys might, but that's on it's own laptop, which I don't setup, and shouldn't be taken outside home/office). SSH keys have their own password so they should be okay.
Given this, is there a point to enabling partition encryption? It seems like a massive hassle, for little gain given. I've seen Xon go off on saying people who don't enable FDE are idiots, etc....
Having said that, if encryption is desired, anyone have any recommendations for some kind of drive/filesystem encryption on Linux?
I think encrypting only /home, /tmp, and swap should be sufficient- is this correct?
Available options I know of seems to be Truecrypt, dm-crypt, encfs which doesn't encrypt the block device, but just files, ecryptfs which seems similar to encfs in functionality but has TPM/TCPA support. The non FDE ones like encfs probably require an encrypted swap/tmp (I just make a big swap and use ramdisk for /tmp), which makes hibernate impossible, while I believe the other will prompt on resume.
Does the TPM/TCPA chip do any hardware crypto acceleration, and any real benefits? Most of the solutions above don't support it except ecryptfs, which doesn't encrypt block devices How much of a performance hit should be expected? Not supporting the TPM chip isn't all that big a deal yes?
On the Windows side, does Vista Business contain Bitlocker?
