[Cryptography] Speeding up Linux disk encryption

[Jeremy Stanley]

On 2021-04-10 17:42:35 -0400 (-0400), Kevin W. Wall wrote:
[...]
> I think what people seem to be missing here is "what is the threat
> model" for all of this FDE?
> 
> The main purpose of FDE is--and as far as I know, always has
> been--to protect "smash-and-grab" attacks, where for instance a
> crook is walking past a locked parked car, sees a laptop on the
> back see, smashes the window and grabs the laptop and runs off
> with it. (It provides similar protection if your laptop is powered
> down and you simply lost it.) If it's advertised as anything more
> than this, chances are, it's just hype.
> 
> Businesses who issued company laptops to their employees were the
> ones who pushed to get FDE deployed because there were way too
> many news stories popping up of stolen or lost company laptops
> where the employee may have had thousands or millions of consumer
> records containing PII on them and this was one way to address
> that liability. (And more effective than telling the employee "not
> to do that", especially when that employee was a C-level
> executive.)
[...]

There's a related compelling business case: secure disposal. I
remember my employer spending inordinate sums of money to have hard
drives of systems which might (or might not) have contained
sensitive information thoroughly destroyed in order to prevent that
data from being leaked to dumpster-divers or through grey-market
parts resale. Indeed there are plenty of stories about people buying
used hard drives in bulk as simple gold mining expeditions. If the
disk is reliably encrypted, it's far cheaper to wipe/discard the
decryption key and pass it off to a lower-security recycling
operation.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210411/bc35c771/attachment.sig>