open source disk crypto update
Alexander Klimov
alserkli at inbox.ru
Thu Apr 26 06:35:49 EDT 2007
On Wed, 25 Apr 2007, Travis H. wrote:
> Just recently I discovered Debian default installs now support
> encrypted root (/boot still needs to be decrypted).
>
> Presumably we are moving back the end of the attack surface; with
> encrypted root, one must attack /boot or the BIOS. What is the
> limit?
The real question is what attacks you are talking about.
For example, protecting confidentiality of /boot and /usr that
contains software that everybody can find on millions of other
computers makes little sense. (OK, your kernel configuration may
be unique, but do you really consider it confidential?)
Do you want encryption to ensure integrity of you software? (Of
course, that would be contrary to common crypto wisdom.) Are you
afraid of attackers secretly changing your software (to monitor
you?) while your computer is off? If so, are you sure that there
is no hardware keylogger in your keyboard and there is no camera
inside a ceiling mounted smoke detector [1]?
In any case, it is a good idea to always start with definition
of the problem and then check if the solution really solves it.
(For example, eve if the problem is that your computer is too
fast, you cannot solve it with encryption :-) )
[1] <http://www.tentacle.franken.de/papers/hiddencams.pdf>
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list