Re: Laptop Full Disk Encryption

I'm more curious why you need a "full disk" encryption and not leave the partition with the OS unencrypted and then just encrypt the second partition while redirecting or using symlinks to replacing specific locations to the encrypted drive? There may be an obvious answer (so I'll take any basing in stride), however, I'm still curious

Re: Laptop Full Disk Encryption

I am interested in this topic too.

I considered hardware-based encryption because of previous benchmark comparisons between it and software-based encryption, but a majority of security problems in crypto have historically been with implementation, and firmware updates can't fix all implementation failure for hardware, I decided slower performance with an upgradeable software solution for cases where implementation errors are found, was the "better" choice.

As a result, I pretty much decided that software-based, full disk encryption was what I would use with my next laptop using Linux and setup a bootable USB-to-micro-SD 32GB "drive" that would be flush with a USB port, and removeable, to remove the microSD, which can be transported independently, or easily hidden elsewhere. An additional USB-based key such as a smartcard could then be read by the booting microSD-based system after it starts related services, and require a passphrase. This breaks the problem into individual parts with the most critical being the passphrase, the smartcard, and the encrypted disk followed distantly by the microSD "bootable" drive made available by USB. Once the devices could be mounted with encryption, a chroot to the new root could get me on my way.

These were my thoughts on what I was going to do. I'd like to see what you all say about performance, and what other ideas you have had on implementing this and why you made the choices you did.

Other things beyond this that I'd be interested in:
* For the solutions proposed, have you considered what you would do for recovery when a volume is damaged? How will you repair it? (I've done this before with loopback mounted encrypted filesystem, and it has been a problem, especially when an offset was used.)
* What mount/mkfs.[.*] options have you found to be the most beneficial for performance? (like with ext3 filesystems.)

Re: Laptop Full Disk Encryption

My laptops generally do not contain much private data, but I occasionally need to work on client data on the road. I VPN back home or VNC to my workstation for the most part. What I am worried about is data leakage, cached passwords, etc. I try to maintain a sterile system, but it's damn near impossible. It's also one of those peace of mind things for lost/stolen laptops.

My secondary worry is the border crossings and data . It's a guilt-by-proxy concern since I am on the speaking circuit with alot of people being targeted recently and since the border is the proverbial no-mans-land for laws, I want to cover my ass as much as possible.

I am looking at full disk mostly for convenience. I've done encrypted volumes before, but there's alot of cached copies of things that get generated. I figure, encrypt everything and remove some of the worry.

Recovery is not a huge issue for me as I usually sync my data when I'm back home, so potential loss is minimal.

If anyone has performance hacks, I'd like to know as well. Conversely, if anyone knows of a crypto accelerator card (pick a bus) that could be used, that may be interesting too.

Re: Laptop Full Disk Encryption

i used to share this notion, but have come to understand that modern O/S software (across all modern Win/Mac/NIX) is just littered with data all over the goddamn place.

most folk who today want full disk crypto are as worried about over-reaching authority figures as much as we are worried about theft/criminal attack. (some of the search and seizure one sees by governments now is almost so blatantly awful as to qualify as criminal theft, in my view)

simply put, if you're a sensible person and generally security-conscious you can probably avoid your laptop being outright stolen from you. the most likely scenario for needing any sort of crypto has to do with police or government types arbitrarily wanting to "inspect" your system.

if you are using only an encrypted container and not whole disk crypto, you're essentially fucked in that scenario. you are going to leak all sorts of info about loads of your business, your clients, and your contacts. often this isn't bad enough to get anyone jammed up legally (assuming you're all on the up-and-up) but it's still pretty terrible from an info discipline perspective to let 3rd parties hoover up all that info and store it somewhere.

that's my two cents. full disk crypto is the key. even better is remote access to your work product and running just a burner laptop that you can wipe at the drop of a hat if the need arises.

Re: Laptop Full Disk Encryption

I tweaked the swapiness of the system and it seems to be playing a but nicer. Hard drive is'nt monopolizing the system when I fire up a couple torrents. System still seems to be sluggish (more manageable now).

https://help.ubuntu.com/community/Sw...20change%20it?

Google seems to be failing me or there are no options in terms of hardware crypto acceleration for laptops. TPM provides key management, but nothing for acceleration from what I can asses. There are hardware encrypted hard drives, but not sure if that solves the problem.

I'm very surprised that there isn't any option for a hardware accelerator for a laptop (plenty for desktop)

Re: Laptop Full Disk Encryption

I ran into the same problems, and I've done a little more digging. From the specs of PCI*-based crypto accelerators, it looks like they can use quite a bit of power, and this may be why we don't see them for laptops.

Some TPM provide more than key-work, and can include crypto accelerators used by disk encryption software, and random number generators, too. One example of a TPM that claims to offer crypto acceleration comes from a PDF from Intel:

Intel: Trusted Platform Module (TPM) based Security on Notebook PCs - White Paper (PDF) See page 7 on RSA Accelerator

Combine this with claims on wikipedia (which would need to be validated before being relied upon) in the the section "Features" to find software that can take advantage of TPM functions, verify compatibility with the TPM you have (if any) and which features are used. (Simple "Yes" and "No" entries do not tell which TPM features are utilized by the software mentioned. "Yes" may only mean work with keys, or maybe take advantage of a non-blocking random number generator that chooses more random numbers than /dev/urandom and does not block like /dev/random when the entropy pool is exhausted, or it may mean more support, but no crypto acceleration. (Lots more digging would be needed, and it will depends on what software you want to use, and what TPM (if any) your laptop may have.

eCryptfs: An Enterprise-class Cryptographic Filesystem for Linux claims that "IBM ThinkPads" (nothing about Lenovo) include a TPM that supports this feature. I don't see a date of publication for this article, but the most recent citation to an article is March 2005. If ThinkPads from 2005 have TPM with Crypto Acceleration, then perhaps your laptop may have this too.

As for an unrealistic, non-portable, hackish solution without using TPM, there are "express card" to "PCI Express" boxes to allow laptops to use a laptop ExpressCard slot
like this http://www.magma.com/pciexpress.asp and then get a PCI Express crypto accelerator card.

As for full disk encryption, I find references to SSD (SSD=Solid State Disks with no moving parts) from manufacturers that support "FDE" (FDE=Full Disk Encryption), but I don't know how vendors of new laptops announce this feature as being available in any SSD. For HDD (HDD=Hard Disk Drive with spinning disks), vendors like Lenovo specify which drives have FDE as part of the HDD description, so you may choose a 250GB HDD with encryption, or a 250 GB HDD without encryption, but these same vendors only show SSD without a description specifying FDE is included on some SSD but not others.

Good question, man.

(Abbreviation expanded for to assist non-native English speakers.)

[Added:]
The question I have for this is about power and speed, and how much does relying on these feature improve the speed of the system as a whole. Is this only used for special cases where speed is no needed, such as generating keys, or as a dedicated crypto device to assist with encryption and decryption as needed by the OS or applications?

Re: Laptop Full Disk Encryption

A quick email to Scott Moulton, our resident hard drive know-it-all says that it's more of a software issue than anything that can be offloaded onto hardware in terms of the crypto anyways.

TheCotMan: Wow, your response amazes again.

I was chatting with Sintax_error the other night and he suggested that as an alternative to the cost of an SSD, a Hybrid SSD like the Seagate Momentus XT series where common files and operations are offloaded to the SSD may remove some of the overall performance hit. The cost is obviously greater than a HDD, (quick price check shows almost double, but that's $99 as opposed to $50 for the non-hybrid, so still manageable)

Sadly this laptop will not handle a SATA hybrid drive, so I can't test, but something to keep in mind, and something worth testing if anyone has the inclination, time and funds.

Re: Laptop Full Disk Encryption

Googling around I found references to the latest Intel processors having a new instruction set, AES specific, so if you run FDE with AES, it provides, not a profound increase, but a swift kick none the less.

http://en.wikipedia.org/wiki/AES_instruction_set

Seems to be the latest i5 processors. Something good to know if/when I go shopping.