undefined | Better HN

0 pointspjc5011y ago0 comments

So tptacek's argues that sector-based full-disk encryption is inherently vulnerable, especially if used on the boot volume, because if someone grabs your laptop everything's still loaded in memory.

What if my use case is different: keeping just a particular set of documents not in constant use secret? Perhaps stored on a removable drive? Truecrypt is great for this. It does have the risk of information leakage via tempfiles and swap, but it also makes you a lot harder to raid unless you've got the incriminating document open on your screen in a cafe (you fool).

(I was asked by someone I know who works in international human rights "How do I get my case files safely across borders?" and didn't have a good answer.)

0 comments

tptacek11y ago

If the documents aren't in constant use, the most secure way to encrypt them is with a userland program like PGP. Userland crypto knows where files begin and end, and can store metadata to improve the encryption. They can provide cryptographic integrity --- far more powerful than the incidental integrity check Bitlocker tried to provide, or the virtually zero integrity that XTS provides. They're randomized, so the ciphertext can have semantic security; it reveals nothing at all about the plaintext, even as the files are edited in place under the same key.

Sector crypto can't do anything even approximating this without contortions like geli.

If I was trying to protect files from nation state adversaries, I would not consider Truecrypt.

That doesn't mean I think you shouldn't run something like Truecrypt. I think you're better off with whatever your OS provides, but some kind of sector-level crypto, be it Bitlocker, Truecrypt, or Filevault, is still useful.

But if you're serious about protecting a specific set of files, encrypt them manually, no matter what else you do.

pjc50OP11y ago

Can PGP do true edit-in-place, or do I have to decrypt to local disk first? Because decrypting to local disk is very likely to leave plaintext lying around somewhere unless my primary SSD supports "secure erase free space" and I remember to use it.

tptacek11y ago

Good point. It doesn't; you need to securely delete temporary files. Mitigating that:

* Sector-level crypto is cryptographically incapable of secure in-place editing; they can gradually leak information about the plaintext as edits happen. That's not a big deal for a PDF, which aren't on-line live real-time edited, but it can be a big deal for other kinds of files. I tend to err on the side of systems programming weaknesses rather than crypto weaknesses. We're better at dealing with them.

* No matter what kind of cryptography you're using, the assumption you should be making is that plaintext is at some point exposed to someone who owns up your live running system.

I think concern about unlinked plaintext-containing sectors is reasonable, and a good reason to use both sector-level crypto and file-level crypto. I use both, as does everyone at Matasano.

j / k navigate · click thread line to collapse

0 pointspjc5011y ago0 comments

So tptacek's argues that sector-based full-disk encryption is inherently vulnerable, especially if used on the boot volume, because if someone grabs your laptop everything's still loaded in memory.

(I was asked by someone I know who works in international human rights "How do I get my case files safely across borders?" and didn't have a good answer.)

0 comments

tptacek11y ago

Sector crypto can't do anything even approximating this without contortions like geli.

If I was trying to protect files from nation state adversaries, I would not consider Truecrypt.

But if you're serious about protecting a specific set of files, encrypt them manually, no matter what else you do.

pjc50OP11y ago

tptacek11y ago

Good point. It doesn't; you need to securely delete temporary files. Mitigating that:

* No matter what kind of cryptography you're using, the assumption you should be making is that plaintext is at some point exposed to someone who owns up your live running system.

I think concern about unlinked plaintext-containing sectors is reasonable, and a good reason to use both sector-level crypto and file-level crypto. I use both, as does everyone at Matasano.

j / k navigate · click thread line to collapse