[Discuss] Server/laptop full-disk encryption

[bogstad at pobox.com (Bill Bogstad)]

On Wed, Oct 1, 2014 at 3:49 AM, Bill Horne <bill at horne.net> wrote:
> On 9/30/2014 9:38 AM, Edward Ned Harvey (blu) wrote:
>>
>> In linux, I'm not aware of any product that does whole disk encryption
>> without needing a power-on password.  In windows, Bitlocker uses the TPM to
>> ensure the OS gets booted untampered, and then your user logon password and
>> OS security are used to prevent unauthorized access.  This is truly great to
>> protect against thugs and laptop thieves.
>>
>
> No offense, but why would it/ how could it? A laptop thief isn't likely to
> be looking for /your/ info,
> just an appliance to sell. "Thugs", OTOH, will be able to apply rubber-hose
> cryptography if it's
> /your/ data they want, and either way having an encrypted hard disk doesn't
> seem like a deterrent.

Yeah, I was going to post earlier that simply having Linux installed
on your laptop
is going to protect your data against 99% of random thieves.   When
they boot it up
and find out that it isn't running Windows (they know it's not a Mac),
they are going
to either toss it in the trash or get their cousin who plays a lot of
videos games to just do
a reinstall of Windows on it.

As for rubber hoses, it is not clear what the threat model is here.
On the one hand,
we seem to want complete security and on the other hand we are willing to hand
out the passphrase to any machine that can retrieve the URL from the local LAN.

I will agree with the original poster though that as of the last time
I looked (year or so ago), Linux documentation of whole disk
encryption seemed to assume that you were trying to hide out from the
mob or some 3-letter agency and had a Ph.D in computer science.  On
the other hand, security is hard with lots of fiddling details.
Whether better UIs to the underlying
software would help is unclear to me.

Bill Bogstad