Whole disk encryption?

[Skand Hurkat]

Going on with the related discussion on passwords, I was wondering if anyone here uses whole disk encryption, be it for a computer or phone.

As such, the concept of whole disk encryption sounds formidable, mainly because it involves the computer decrypting not only file every time it's used; but, for any effective encryption system, a whole block around the file has to be decrypted as well. That, and the fact that encrypted data is effectively lost after an OS crash (typical on Windows installations).

However, I've recently moved to partition level encryption (ecryptfs) for my workstation home folder, along with full disk encryption for my Ubuntu installation. I don't notice any drop in performance, but that's probably because my workstation is a quad core i7 beast. Encrypting the workstation makes sense, mainly because there's just too much data lying around for any privacy snoop, including accounts that I leave in the "logged in" state, cookies, site auth data (eg: 2 step authentication on Google).

So, my question is: does it make sense to encrypt a laptop or a phone, where the encryption may result in a significant drop in performance? What do you do?

Skand.

[Dilawar Singh]

I have never used encryption for disk but have used them encrypting config files when they contain passwords.

 

I usually keep my password on a text file encrypted using gpg. When I need to read them, say calling mutt, I decode them and populate the environment variables in shell. Mutt reads the variable for password and and when it closes, these varaiables are destroyed. This makes me do something really unthinkable: I store my passwords, along with required config files, on github publicly. Anyone can read them.

I clone on any computer and remembers the paraphrase which I used to encrypt the file. Even if I leave these files undeleted, this does not cause me any headache. People can waste their time decrypting it, they are not likely to succeed unless they persist for a long time.

By the way, I met a person recently who has a single space as her password. Now who would have guessed it, using his brain or computer?

--

Dilawar 

EE, IITB 

[Sudarshan Wadkar]

Search for OTFE [On The Fly Encryption]

The free tools are good enough for personal use, I guess.

@Dilawar:

You do realize that there are n number of ways to get access to that passphrase, right? [Keyloggers, anyone?]. Agreed PGP is cool and all, but IMHO, its not substitute for your passwords!

-Sudhi :)

--
--
The website for the club is http://stab-iitb.org/wncc
To post to this group, send email to wncc...@googlegroups.com
 
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Dilawar Singh]

@Dilawar:

> You do realize that there are n number of ways to get access to that passphrase, right? [Keyloggers, anyone?]. Agreed PGP is cool and all, but

Not quite. Thanks for pointing to key-loggers.

But as long as they don't have access to machine, I am much safer than having a hashed or plain password. I can anyway go to the machine next day and delete entries from key-loggers if any. On a networked PC, getting thing 100% secure is not possible. At least gpg adds a convenience.

It saves me from doing really-dumb things I have done before.  Like uploading a file containing password on github. Anyway without knowing paraphrases, it is still safer than passwords. And paraphrases are easier to remember, passwords are not. I usually get more scared when I forget the password. Its a cruel world out there for people who forgets their password. Especially if don't know admin personally.

> its not substitute for your passwords!

It easily can be  in those cases when you have to store password somewhere on your disk, encrypted passwords are better. Surely I am not going to use paraphrase when the facility is not available such as gmail.

--
Dilawar

Dilawar
EE, IITB

[Santosh Ananthakrishnan]

I understand using it on a personal or work phone / laptop, but I'm not sure how much sense 

it makes to use FDE on a workstation. FDE is for stuff that can get physically stolen, it's useless 

against everything ranging from keyloggers to APTs, and for a system that's not going anywhere

like a desktop, those are the threats that matter. 

[Dilawar Singh]

Is there  a partial support of encryption on partitions: say encrypt all /etc/* *.cc *.h *.txt etc files and leave the *.avi *.mkv etc as they are. Even if all of them exists on same partition?

Dilawar
EE, IITB

[Skand Hurkat]

On Thursday, 27 June 2013 05:27:03 UTC-4, santosh wrote:

I understand using it on a personal or work phone / laptop, but I'm not sure how much sense 

it makes to use FDE on a workstation. FDE is for stuff that can get physically stolen, it's useless 

against everything ranging from keyloggers to APTs, and for a system that's not going anywhere

like a desktop, those are the threats that matter. 

Keyloggers are definitely a threat, as is someone looking over the shoulder. However, I think it makes sense to have full disk encryption on my workstation for one reason, and that's security once I'm done using the workstation. Given the amount of data that's cached by browsers (like persistent logins, authentication cookies, account details, etc.) I'd definitely feel better that even if I screw things up by forgetting to shred that one file; no one can access that data without a passphrase that I sure am not going to give up.

Of course, this works only because I have root access on my workstation, and that I'm going to be the only user for the next three months, after which I can wipe the system and return it. I would not do this on my office Mac, mainly because I know that my advisor will hand it over to an intern for the summer. Cleaning up the Mac before leaving was a tough gig; mainly because I had to be sure that I had securely deleted all files that could contain any personal information.

Which brings me to the next part: I think it definitely makes sense to encrypt the $HOME folder (or it's equivalent) on any computer, because that's where almost all the personal information resides. On a workstation or a shared computer, it's all that more important, just because anyone with an account could possibly access the files unless you've mastered chmod and chown; and I'm sure that does not prevent the sysadmin from reading any file.

The trouble with file or folder encryption really is that it's a local method, and it does allow any attacker to find out which files have been modified; and that can possibly leak information. It could be potentially worse in journaling file systems, or file systems where data is not guaranteed to be overwritten, because that offers the attacker a view of "before" and "after" versions of the encrypted file, which is terrible from the point of view of security. Encryption is effective only if the attacker cannot find out what content has changed, and that's one of the reasons why whole disk encryption or partition level encryption works better than file or folder level encryption.

As an aside, check out this talk by Cory Doctorow: http://www.youtube.com/watch?v=gbYXBJOFgeI. Warning! It's an hour long, so grab some popcorn, and take time out to watch it. Or watch it at work. I'm sure it's way more interesting than whatever you're doing right now. :)

Skand.