Re: Disc encryptian.

To: debian-user@lists.debian.org
Subject: Re: Disc encryptian.
From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
Date: Thu, 24 Feb 2011 16:09:16 -0600
Message-id: <[🔎] 201102241609.20150.bss@iguanasuicide.net>
In-reply-to: <[🔎] 4D66D0C1.5070609@cox.net>
References: <[🔎] AANLkTingp9x3B4=N9ULaUS93w7Q3mM2jA80cbY1_peaJ@mail.gmail.com> <[🔎] 201102240831.04799.bss@iguanasuicide.net> <[🔎] 4D66D0C1.5070609@cox.net>

On Thursday 24 February 2011 15:42:25 Ron Johnson wrote:
> On 02/24/2011 08:30 AM, Boyd Stephen Smith Jr. wrote:
> > On Thursday 24 February 2011 07:03:23 Ron Johnson wrote:
> >> On 02/24/2011 06:22 AM, Brad Alexander wrote:
> >>> Also, please remember, when the system is running, the filesystem is
> >>> *decrypted*. Encryption is not going to protect you when the system is
> >>> running.
> >> 
> >> So what you/we need are apps which integrate GPG.  That way, files
> >> are only decrypted when necessary.
> > 
> > Depends on what you are trying to defend against.  Full-disk encryption
> > is meant to defend against physically stolen or confiscated servers,
> > drives, or laptops from being accessed.  When a laptop is on, it is
> > generally being closely observed, so when it is stolen it is usually
> > off.  Servers and drives
> 
> Except that many laptop users suspend or hibernate their machines
> for faster startup.

With sleep (suspend to RAM), the disk remains unprotected; key material is in 
RAM, among other things.  I don't recommend sleeping unless you *know* you'll 
be back to actively using the system before your battery drains; it can lose 
data in rare instances.  Usually this entails keeping your laptop nearby, 
although not necessarily the focus of your attention, so there is some 
increased risk of theft.

From what I understand, it is possible to disable the ability to suspend the 
laptop.  This can be used to avoid this extra risk.

With hibernate (suspend to Diks), the disk is protected; key material is not 
in RAM (nothing is).  You'll need to provide the passphrase in order to 
resume.  Key material is never written to disk unprotected by the kernel 
implementation(s) of full-disk encryption; this is a well-known way to 
"accidentally" subvert the entire purpose of full-disk encryption.

Using "safe-sleep" (suspend to both), the disk remains unprotected until the 
battery drains or (if the ACPI and the kernel is smart enough) it switches to 
a hibernate state.  I'm not sure how well Squeeze (in particular) supports 
this mode at all; it is common under Mac OS X.  uswsusp did have some support 
for this in Lenny, but I think that package or at least that feature is going 
or has went away.
-- 
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Disc encryptian.
  - From: Heddle Weaver <weaver2world@gmail.com>
- Re: Disc encryptian.
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Disc encryptian.
  - From: Ron Johnson <ron.l.johnson@cox.net>

Prev by Date: Re: To 64 or Not to 64?
Next by Date: Re: dd or cp over network: should I use scp?
Previous by thread: Re: Disc encryptian.
Next by thread: Re: Disc encryptian.
Index(es):
- Date
- Thread