It's a Presidential Mandate, Feds use it. How come you are not using FDE?

[Steven M. Bellovin]

On Tue, 16 Jan 2007 07:56:22 -0800
Steve Schear <s.schear at comcast.net> wrote:

> At 06:32 AM 1/16/2007, Steven M. Bellovin wrote:
> >Disk encryption, in general, is useful when the enemy has physical
> >access to the disk.  Laptops -- the case you describe on your page --
> >do fit that category; I have no quarrel with disk encryption for
> >them. It's more dubious for desktops and *much* more dubious for
> >servers.
> 
> As governments widen their definitions of just who is a potential
> threat it makes increasing sense for citizens engaged in previous
> innocuous activities (especially political and financial privacy) to
> protect their data from being useful if seized.  This goes double for
> those operating privacy-oriented services and their servers.  As an
> example, when TOR servers were recently seized in German raids (with
> the implication that they were being used as conduits for child porn)
> the police knew enough to only take the hot-swap drives (which were
> encrypted and therefore paper weights after removal) if only for
> show.  The main loss to the operators was repair to the cage locks.
> 
Legal access is a special case -- what is the law (and practice) in any
given country on forced access to keys?  If memory serves, Mike Godwin
-- a lawyer who strongly supports crypto, etc. -- has opined that under
US law, a subpoena for keys would probably be upheld by the courts.  I
believe that British law explicitly mandates key disclosure.  And of
course, there's always rubber hose cryptanalysis in jurisdictions where
that's acceptable.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com