You can login if you already have an account or register by clicking the button below.
Registering is free and all you need is a username and password. We never ask you for your e-mail.
[+]Kalectrix0 points15 points15 points
ago
(edited ago)
[–]Kalectrix0 points
15 points
15 points
(+15|-0)
ago
(edited ago)
Ha-ha yes. Linux supports this with ease. You don't really notice it, you just have to type in your passphrase at boot. You can also put nukes on it aswell, so if someone tries brute forcing it the hard drive is as good as random gibberish. The other option is to just encrypt your home folder, which is the usual option.
I used to run a persistent encrypted Kali Linux on a USB 3, was pretty good for a portable secure OS.
Edit: correction
I do the whole disk thing and it's nice to know that if my laptop ever gets stolen, I really don't care that much. Go buy a new one, install my backup and never worry that my data will get pulled off the stolen machine.
I set it up via the Debian installer, if anyone's interested.
It's important to note that whole disk encryption, while a strong mechanism for protecting your data against physical theft, is ineffective at protecting data stolen from you electronically.
Correct the encryption is to protect your data at rest. IE if someone steals your laptop or physical disk. Secondarily it would also stop LEO from making an image of your disk. Well they could take an image it would just be encrypted.
On Linux you can encrypt everything except /boot partition, which contains kernel and typically bootloader files. Good news is that you can move this partition along with bootloader to flash/sdcard and carry it with you to prevent bootkit attacks.
Partitions are still having LUKS(linux encrypted) headers, which tells what kind of OS and type of encryption is used. LUKS supports storing header externally (for example on afforementioned external storage) but it's not supported by lot of tools and system apllications (for example systemD didn't support external header, not sure about now) and might complicate recovery in case of problems.
Also on OpenBSD FDE is supported only with bootloader needing to readable.
Proprietary OSes open too much potential holes/backdoors, so encryption against serious adversary is futile and against non-serious one encryption of user account should be enough.
You can use hardware encryption, where a device sits between the computer and the drive and does all of the encryption on the fly. The drive is unreadable without the encryption device/key. However, AFAIK, all those systems use hardware keys and not passwords.
[–]Craftkorb0 points
0 points
0 points
(+0|-0)
ago
Aaand there's the trust issue. Why should I trust that device that it does the job correctly? Without unintentional or maliciously introduced crypto bugs bogging security?
AFAIK hardly anyone uses these devices. If you need small portable enterprise encrypted USB check out Iron Key. I've been using encryption for years across all different health systems, never once saw something like that.
It's usually a card or device you plug in. Your phone's SIM card for example. A physical key might be used to prevent you from messing with the hardware in addition to it.
[–]Craftkorb0 points
6 points
6 points
(+6|-0)
ago
but very bad for the performance.
I call bullshit. I have a Lenovo Thinkpad X201, which has a i5 520M as CPU and thus supports AES extension. A SSD is used as storage. Not the fastest one ever, still: 150MiB/s reading without encryption, ~125MiB/s with full disk encryption. I don't notice a thing whatever I do with it.
Not really. Most modern CPUs have AES support, so performance hit using this cipher on HDDs isn't so bad. And SSDs aren't recommended for encrypted data anyway, since they keep ciphertext blocks which were rewritten and also need marking empty blocks for better performance, which both weakens the encryption.
[–]brojobbro0 points
0 points
0 points
(+0|-0)
ago
Full disk encryption is possible, but very bad for the performance.
No it's not. Not even a little. It takes longer for me to type in the password than it does to decrypt it. As for performance of my computer once its decrypted, I can't tell a difference.
[–]jammi0 points
0 points
0 points
(+0|-0)
ago
(edited ago)
iOS devices (iPhone, iPad) does it automatically since iOS 8. OS X has had that feature standard for a very long time; just go to System Preferences ➔ Security & Privacy ➔ FileVault ➔ Turn On FileVault...
[–]jammi0 points
1 point
1 point
(+1|-0)
ago
(edited ago)
That was like more than a decade ago, which is in OS X adoption time like someone mentioned some Windows 3.1 or 95 limitation in Windows context. But yeah, the first version of FileVault encrypted the home directory as an encrypted disk image volume.
Sort: Top
[–] Kalectrix 0 points 15 points 15 points (+15|-0) ago (edited ago)
Ha-ha yes. Linux supports this with ease. You don't really notice it, you just have to type in your passphrase at boot. You can also put nukes on it aswell, so if someone tries brute forcing it the hard drive is as good as random gibberish. The other option is to just encrypt your home folder, which is the usual option. I used to run a persistent encrypted Kali Linux on a USB 3, was pretty good for a portable secure OS. Edit: correction
[–] NeverToday 0 points 1 point 1 point (+1|-0) ago
I do the whole disk thing and it's nice to know that if my laptop ever gets stolen, I really don't care that much. Go buy a new one, install my backup and never worry that my data will get pulled off the stolen machine.
I set it up via the Debian installer, if anyone's interested.
[–] jumpingmac 0 points 7 points 7 points (+7|-0) ago
It's important to note that whole disk encryption, while a strong mechanism for protecting your data against physical theft, is ineffective at protecting data stolen from you electronically.
[–] e0steven 0 points 1 point 1 point (+1|-0) ago
Correct the encryption is to protect your data at rest. IE if someone steals your laptop or physical disk. Secondarily it would also stop LEO from making an image of your disk. Well they could take an image it would just be encrypted.
[–] just-my-2c ago
Even then, you better hope it was turned off when it was stolen or used by an unauthorized person...
[–] ghostfox1 0 points 4 points 4 points (+4|-0) ago
Truecrypt did it, but it's not being updated anymore.
[–] [deleted] 0 points 5 points 5 points (+5|-0) ago
[–] Persolus 0 points 1 point 1 point (+1|-0) ago
Aww, this makes me happy. I don't have a use for TrueCrypt anymore, but when I heard the bad news, I felt very bad for the creators and the community.
Glad to see it's being properly forked. Fuck yeah open source software!
[–] ghostfox1 ago
Thanks. I knew someone had said they would update it, but I lost track of it a long time ago, and haven't had time to look into it.
[–] GeorgeMichael 0 points 1 point 1 point (+1|-0) ago
you could check out VeraCrypt, it's a fork and IIRC some trueCrypt developers are involved in this project as well
[–] Charley 0 points 1 point 1 point (+1|-0) ago
Veracrypt has been a great alternative.
[–] [deleted] 0 points 1 point 1 point (+1|-0) ago
[–] e0steven 0 points 5 points 5 points (+5|-0) ago
Um that's bull, it was fully vetted.Audit Results And I highly doubt you have anything to back it up.
[–] VimTsar 0 points 3 points 3 points (+3|-0) ago
On Linux you can encrypt everything except /boot partition, which contains kernel and typically bootloader files. Good news is that you can move this partition along with bootloader to flash/sdcard and carry it with you to prevent bootkit attacks.
Partitions are still having LUKS(linux encrypted) headers, which tells what kind of OS and type of encryption is used. LUKS supports storing header externally (for example on afforementioned external storage) but it's not supported by lot of tools and system apllications (for example systemD didn't support external header, not sure about now) and might complicate recovery in case of problems.
Also on OpenBSD FDE is supported only with bootloader needing to readable. Proprietary OSes open too much potential holes/backdoors, so encryption against serious adversary is futile and against non-serious one encryption of user account should be enough.
Further detail for example: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[–] MrMongoose 0 points 1 point 1 point (+1|-0) ago
You can use hardware encryption, where a device sits between the computer and the drive and does all of the encryption on the fly. The drive is unreadable without the encryption device/key. However, AFAIK, all those systems use hardware keys and not passwords.
[–] Craftkorb ago
Aaand there's the trust issue. Why should I trust that device that it does the job correctly? Without unintentional or maliciously introduced crypto bugs bogging security?
[–] ffs 0 points 1 point 1 point (+1|-0) ago
Because it's hopefully open source and audited.
[–] MrMongoose ago
Well, you can always apply whatever additional software encryption you want underneath it. It's just one more layer of security.
[–] ImSureImPerfect [S] ago
Hm. I'll have to read more about that. I'm fascinated by the idea.
If you install hardware encryption, the hardware key is...what...a physical, literal key of some sort? A piece of tech you slot in?
[–] MrMongoose 0 points 1 point 1 point (+1|-0) ago
Yep. Usually a small dongle. There may be other variations, though. Search for the Addonics Saturn series - that's what I ended up with.
[–] e0steven 0 points 1 point 1 point (+1|-0) ago
AFAIK hardly anyone uses these devices. If you need small portable enterprise encrypted USB check out Iron Key. I've been using encryption for years across all different health systems, never once saw something like that.
[–] Ninbyo 0 points 1 point 1 point (+1|-0) ago
It's usually a card or device you plug in. Your phone's SIM card for example. A physical key might be used to prevent you from messing with the hardware in addition to it.
[–] xyzzy 2 points 1 point 3 points (+3|-2) ago
Full disk encryption is possible, but very bad for the performance.
Technically not everything is encrypted, the bootloader which asks for your passphrase and decrypts the filesystem is not.
[–] Craftkorb 0 points 6 points 6 points (+6|-0) ago
I call bullshit. I have a Lenovo Thinkpad X201, which has a i5 520M as CPU and thus supports AES extension. A SSD is used as storage. Not the fastest one ever, still: 150MiB/s reading without encryption, ~125MiB/s with full disk encryption. I don't notice a thing whatever I do with it.
[–] VimTsar 0 points 6 points 6 points (+6|-0) ago
Not really. Most modern CPUs have AES support, so performance hit using this cipher on HDDs isn't so bad. And SSDs aren't recommended for encrypted data anyway, since they keep ciphertext blocks which were rewritten and also need marking empty blocks for better performance, which both weakens the encryption.
[–] e0steven 0 points 4 points 4 points (+4|-0) ago
I don't think that is the case at all and I doubt you've ever actually used it.
[–] qiezidaifu 0 points 1 point 1 point (+1|-0) ago
Well then state why that's not the case, no need for chirping.
[–] brojobbro ago
No it's not. Not even a little. It takes longer for me to type in the password than it does to decrypt it. As for performance of my computer once its decrypted, I can't tell a difference.
[–] [deleted] ago
[–] jammi ago (edited ago)
iOS devices (iPhone, iPad) does it automatically since iOS 8. OS X has had that feature standard for a very long time; just go to System Preferences ➔ Security & Privacy ➔ FileVault ➔ Turn On FileVault...
[–] e0steven ago
Note that older versions of FileVault (legacy now) only encrypt the user's volume, not the whole disk
[–] jammi 0 points 1 point 1 point (+1|-0) ago (edited ago)
That was like more than a decade ago, which is in OS X adoption time like someone mentioned some Windows 3.1 or 95 limitation in Windows context. But yeah, the first version of FileVault encrypted the home directory as an encrypted disk image volume.
[–] kekonn ago
The best known solutions for this are BitLocker and TrueCrypt's total volume/drive encryption.