[Cryptography] Speeding up Linux disk encryption

Ray Dillinger bear at sonic.net
Fri Apr 9 09:41:31 EDT 2021


My problem with disk encryption systems is that they tend to protect the
disk contents right up until the system boots up, and not so much while
it's running.


While the system is running, the disk is mounted, the process of
encrypting or decrypting is abstracted away, and every bit of malware
that works on unencrypted systems works just fine on encrypted systems.
Basically the encryption provides no protection beyond the first login
where the disk is mounted.

What disk encryption protects against is people stealing the machine or
hard drive, and while that's a real threat, it's not the universal kind
of threat that disk encryption is (usually) considered to protect against.

Disk encryption that actually provides the protections people think disk
encryption provides would require a whole new filesystem type, a whole
new OS mostly organized around key management, and APIs that
applications have to *use* (or else the application DOESN'T WORK) to
specifically encrypt writes and decrypt reads.  'Reading' keys (half a
symmetric pair) would be available in accounts having read permission to
some file, and 'Writing' keys (both sides of a symmetric pair) would be
available in accounts having write permissions to the file.  If it's an
executable or a script, then it requires a different pair of keys;
'execute' permission would have half a symmetric pair and 'write
executable' would have both halves.

                Bear




More information about the cryptography mailing list