Re: Possible for full-disk encryption to encrypt /boot as well?

To: debian-user@lists.debian.org
Subject: Re: Possible for full-disk encryption to encrypt /boot as well?
From: David Christensen <dpchrist@holgerdanske.com>
Date: Sun, 27 May 2018 10:39:18 -0700
Message-id: <[🔎] e505e0b6-0dfe-f1c3-98ea-a22405e33ff5@holgerdanske.com>
In-reply-to: <[🔎] CAMPM96r6Khb5XBMAzR4M73N5E5DO+1urnGB-TQ7YG3xmcCLMgw@mail.gmail.com>
References: <[🔎] CAAsY_sT=g9V7P+3hf-6xRq1T1peZGOA=xap55f-+7cPnzfVSqA@mail.gmail.com> <[🔎] dde877cf-e007-fa9e-681c-ad3dffa924ea@holgerdanske.com> <[🔎] CAMPM96pZ0RPnXJNTNW50H0oxn-XUfz6ugQNmG7u444PJUS616g@mail.gmail.com> <[🔎] b3a4aeac-66a3-fe6a-6d4c-8a0c0a5eb242@holgerdanske.com> <[🔎] CAMPM96r6Khb5XBMAzR4M73N5E5DO+1urnGB-TQ7YG3xmcCLMgw@mail.gmail.com>

On 05/26/18 23:40, Paul Johnson wrote:

On Sun, May 27, 2018 at 12:43 AM, David Christensen <
dpchrist@holgerdanske.com> wrote:

On 05/26/18 21:16, Paul Johnson wrote:

On Sat, May 26, 2018 at 7:21 PM, David Christensen

Have you considered a self-encrypting drive ...


I'm 99.99% sure (like Dove soap sure) that Symantec full disk
encryption doesn't work this way because I'm just as sure that none
of the Dell models I've ever worked with have this hardware
capability.


I have tested Intel 520 Series SSD's with self-encryption in two Dell
laptop models:

- They do not work in Dell Inspiron E1505's (~2007, Core Duo).

- They do work in Dell Latitude E6520's (2011~2012, Sandy Bridge).



  Right, but is the basic system unencrypted or not?  I very, very, very
highly suspect not, since it seems fairly obviously to me (given that all
the Dell hardware stuff has finished and it's handed off to whatever is on
the boot device) it's handing off to encrypted software off the hard drive
to bootstrap the rest by the time anything Symantec gets involved with.

AFAIK self-encrypting drives (SED) have hardware encryption/ decryptionengines (ASIC's) built into the on-board microcontroller. When thesystem boots, there is a protocol for the motherboard firmware todisplay a prompt on the console for the SED passphrase, which is thenpassed to the SED. If the passphrase is correct, the SED then encrypts/decrypts data writes/ reads transparently (e.g. the SED acts like anunencrypted drive). If the passphrase is wrong, the SED will refuse towrite/ read data, because it cannot encrypt/ decrypt without thepassphrase. If someone pulls the platters or memory chips out of theSED, puts them into a test jig, and reads the magnetic bubbles/transistors, they will obtain ciphertext. They must know the encryptionalgorithm, passphrase, and other pieces of information (nonces, etc.) todecrypt the ciphertext and obtain the plaintext.

Once the SED has been unlocked, the administrator can build additionallayers of hardware and/or software encryption on top. FreeOTFE anddm-crypt/LUKS are examples of software encryption. I believe BitLockeris also software encryption, but allows keys to be stored in a TrustedPlatform Module (TPM). I am not familiar with Symantec encryption products.



David

Reply to:

References:
- Possible for full-disk encryption to encrypt /boot as well?
  - From: Robert Dodier <robert.dodier@gmail.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Paul Johnson <baloo@ursamundi.org>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Paul Johnson <baloo@ursamundi.org>

Prev by Date: bzflag is slow since nvidia-graphics-drivers 390.59-1
Next by Date: Firefox 52 (Buster) is grinding my system to a halt
Previous by thread: Re: Possible for full-disk encryption to encrypt /boot as well?
Next by thread: Postfix - sasl auth when password have colon
Index(es):
- Date
- Thread