<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>There are a <i>whole</i> lot of threats that full disk
encryption does not address, and they need to be addressed.</p>
<p>But, let's imagine they have been addressed. What now? If all an
attacker has to do is reboot from a USB stick, or read media on
another machine, and then everything is in the clear, that seems a
problem. A problem solved by full disk encryption. (Also, as
pointed out, a nice way to securely erase old media: lose the
key.)</p>
<p>Why is full disk encryption of interest to Cloud Flare? Rack
mounted servers don't casually walk away, do they? Well, when one
is dealing on the scale of Cloud Flare I bet they do. Maybe not
stolen by an Evil Maid, but servers will get lost in the shuffle.<br>
</p>
<p><br>
</p>
<p>I was very intrigued by the closing paragraph in the story:</p>
<p>
<blockquote type="cite"><span style="color: rgb(54, 57, 58);
font-family: -apple-system, BlinkMacSystemFont, "avenir
next", avenir, "helvetica neue", helvetica,
ubuntu, roboto, noto, "segoe ui", arial, sans-serif;
font-size: 20px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);
text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">The main patch from this blog (in a
slightly updated form) has been<span> </span></span><a
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877"
target="_blank" style="background-color: rgb(255, 255, 255);
box-sizing: border-box; text-decoration: none; color: rgb(39,
109, 155); font-family: -apple-system, BlinkMacSystemFont,
"avenir next", avenir, "helvetica neue",
helvetica, ubuntu, roboto, noto, "segoe ui", arial,
sans-serif; font-size: 20px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">merged</a><span style="color:
rgb(54, 57, 58); font-family: -apple-system,
BlinkMacSystemFont, "avenir next", avenir,
"helvetica neue", helvetica, ubuntu, roboto, noto,
"segoe ui", arial, sans-serif; font-size: 20px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);
text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;"><span> </span>into mainline Linux
kernel and is available since version 5.9 and onwards. The
main difference is the mainline version exposes two flags
instead of one, which provide the ability to bypass dm-crypt
workqueues for reads and writes independently.</span></blockquote>
</p>
<p>Quick check and I have a new enough kernel on this machine!</p>
<p><br>
</p>
<p>Also:</p>
<p>
<blockquote type="cite"><span style="color: rgb(54, 57, 58);
font-family: -apple-system, BlinkMacSystemFont, "avenir
next", avenir, "helvetica neue", helvetica,
ubuntu, roboto, noto, "segoe ui", arial, sans-serif;
font-size: 20px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);
text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">For details, see<span> </span></span><a
href="https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html"
target="_blank" style="background-color: rgb(255, 255, 255);
box-sizing: border-box; text-decoration: none; color: rgb(39,
109, 155); font-family: -apple-system, BlinkMacSystemFont,
"avenir next", avenir, "helvetica neue",
helvetica, ubuntu, roboto, noto, "segoe ui", arial,
sans-serif; font-size: 20px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">the official dm-crypt
documentation</a><span style="color: rgb(54, 57, 58);
font-family: -apple-system, BlinkMacSystemFont, "avenir
next", avenir, "helvetica neue", helvetica,
ubuntu, roboto, noto, "segoe ui", arial, sans-serif;
font-size: 20px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);
text-decoration-thickness: initial; text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">.</span></blockquote>
Hmmm. Maybe too "detailed". I wish I had a practical how-to on how
I could try it on my current personal machine. Dangerous stuff to
figure out on a live machine and get wrong. <br>
</p>
<p>Do I possibly just add to /etc/crypttab:</p>
<p> no_write_workqueue no_write_workqueue</p>
<p>And run "update-initramfs -u"?</p>
<p><br>
</p>
<p>-kb</p>
</body>
</html>