BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] TrueCrypt with SSD

Subject: [Discuss] TrueCrypt with SSD
From: omegahalo at gmail.com (Chris O'Connell)
Date: Mon, 15 Aug 2011 19:07:23 -0400
In-reply-to: <4E493CC3.9000409@blu.org>
References: <CADdmjq8ATpGBC85KJi=RnktAtox-NTEwf_3vEE5Mr1q0EP27Qw@mail.gmail.com> <003101cc5aed$9d2728c0$d7757a40$@nedharvey.com> <CAFv2jcbApV+RB6ZS3=AGg_Q5=9YzsWHSAa=Cf8HzjkncDpFk_g@mail.gmail.com> <000401cc5b40$d67e55a0$837b00e0$@nedharvey.com> <20110815124530.GI4396@angus.ind.WPI.EDU> <CADdmjq8-bbnk9+e4B_CnJHDxjoBUeFbYew=n_LpEHXypB9SgYA@mail.gmail.com> <4E493CC3.9000409@blu.org>

Agreed.  I look at drive encryption as a Best Effort protection technology.
 If the laptop is stolen while powered up the preboot password protection is
nullified.

I try to keep in mind the type of person who is probably going to steal a
laptop our laptop (or any laptop in general) and the type of information
they would find.  In reality, whatever they get off from our laptops
probably wouldn't be worth very much.

Thus, I think in the most cases just making it difficult to retrieve the
data with encryption is enough to cause a casual thief to format the drive.

On Mon, Aug 15, 2011 at 11:35 AM, Jerry Feldman <gaf at blu.org> wrote:

> Unfortunately I don't have anything to contribute here. Basically all
> disk I/O systems, encrypted or not write fixed length sectors. Since
> most Linux I/O is buffered, there is not much of a performance hit. But,
> the nature of SSD as discussed. There is certainly an individual file
> encryption, but these don't encrypt swap. Additionally, if the user
> loses the laptop without powering it off, a lot of stuff can be
> recovered from RAM. essentially it all comes down to the behavior of the
> user of the laptop. Even if you have full disk encryption, the behavior
> of your boss could effectively make encryption useless. TrueCrypt also
> does have some optimizations for SSD drives. I think that a lot of stuff
> like TrueCrypt provides a very false sense of security. Personally, I
> would opt for a self destruct where the laptop explodes if stolen :-)
>
> On 08/15/2011 09:07 AM, Chris O'Connell wrote:
> > Does anyone know of any other methods to securing the data on a solid
> state
> > drive?  Any BIOS level or TPM integrated security?
> >
> > On Mon, Aug 15, 2011 at 8:45 AM, Chuck Anderson <cra at wpi.edu> wrote:
> >
> >> On Mon, Aug 15, 2011 at 07:45:26AM -0400, Edward Ned Harvey wrote:
> >>> Incidentally, what *is* the problem with TrueCrypt anyway?  It seems to
> >> me,
> >>> a hard drive looks like a hard drive whether it's a HDD or SSD.  I
> would
> >>> expect it to be fine.  Do they have any details anywhere, what is the
> >>> problem?
> >> Sure, an SSD looks the same as an HDD to the application running on
> >> it.  But unlike HDDs, SSDs perform (in some cases much) worse and wear
> >> out faster when they are full vs. when they still have empty unused
> >> space.  So the ATA TRIM (and SCSI Discard) command was invented as a
> >> way for the application (i.e. filesystem, RAID subsystem, LVM,
> >> encryption subsystem, etc.) to tell the SSD which sectors are free/no
> >> longer in use.  In a normal, unencrypted scenario, a disk starts out
> >> mostly empty--the sectors start out zeroed and are only written to
> >> when they are actually needed.  In contrast, encrypted disks are
> >> always completely "full" or "untrimmed", because from the time they
> >> are initially formatted and encrypted every sector is written to with
> >> non-zero data because the empty encrypted sectors (i.e. the unused,
> >> zeroed blocks of a filesystem living on top of the encrypted mapping)
> >> appear random once they are encrypted onto the underlying physical
> >> device.
> >>
> >> TrueCrypt and many other full disk encryption packages cannot tell the
> >> drive which sectors are actually free (and hence maintain them as
> >> zeroed sectors on the SSD) because they don't support TRIM.  Many of
> >> the packages don't want to support TRIM because it would leak
> >> information about the encrypted disk to a potential attacker.  That's
> >> pretty much it in a nutshell.
> >> _______________________________________________
> >> Discuss mailing list
> >> Discuss at blu.org
> >> http://lists.blu.org/mailman/listinfo/discuss
> >>
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://lists.blu.org/mailman/listinfo/discuss
> >
>
>
> --
> Jerry Feldman <gaf at blu.org>
> Boston Linux and Unix
> PGP key id: 537C5846
> PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB  CA3B 4607 4319 537C 5846
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>
>

References:
- [Discuss] TrueCrypt with SSD
  - From: omegahalo at gmail.com (Chris O'Connell)
- [Discuss] TrueCrypt with SSD
  - From: blu at nedharvey.com (Edward Ned Harvey)
- [Discuss] TrueCrypt with SSD
  - From: abreauj at gmail.com (John Abreau)
- [Discuss] TrueCrypt with SSD
  - From: blu at nedharvey.com (Edward Ned Harvey)
- [Discuss] TrueCrypt with SSD
  - From: cra at WPI.EDU (Chuck Anderson)
- [Discuss] TrueCrypt with SSD
  - From: omegahalo at gmail.com (Chris O'Connell)
- [Discuss] TrueCrypt with SSD
  - From: gaf at blu.org (Jerry Feldman)

Prev by Date: [Discuss] TrueCrypt with SSD
Next by Date: [Discuss] TrueCrypt with SSD
Previous by thread: [Discuss] TrueCrypt with SSD
Next by thread: [Discuss] Linux dm-crypt TRIM support for use with SSD
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org