[Cryptography] Speeding up Linux disk encryption

[Peter Gutmann]

Kevin W. Wall <kevin.w.wall at gmail.com> writes:

>I think what people seem to be missing here is "what is the threat model" for
>all of this FDE?

"We've got a lot of cool crypto in hardware and not much else we can do with
it".

>The main purpose of FDE is--and as far as I know, always has been--to protect
>"smash-and-grab" attacks

And in particular, targeted smash-and-grab, so against CxO's where the value
isn't the laptop but what's on it.  For anyone else, they're stealing the
laptop to wipe and sell as quickly as possible, not to spend three months
performing a forensic analysis of its contents.

In these situations, FDE is a liability, not an advantage, because the concern
for most people is data loss rather than protection against a smash-and-grab
intended to steal high-level corporate secrets.  I keep getting nagged to
enable Bitlocker, which protects against no practical threat that I can think
of but ensures that if anything goes wrong I can't plug the SSD into another
machine and recover everything that's still recoverable.

And I'm saying that from having helped with numerous migrations of standard
and Bitlockered storage media over the years.  With Bitlocker it's always been
wipe-and-reinstall, a.k.a. complete data loss.  With non-Bitlocker its
(almost) always been "all your old files are now available on your D: drive"
(the exception was where the corruption was too severe to recover more than
individual files).

So ironically the only media I'd use FDE with is where the value of the
contents is low enough that it doesn't matter if they get lost.

Peter.