Announcement

Collapse
No announcement yet.

Linux Full Disk Encryption Performance For The AMD Ryzen 7 PRO / HP Dev One

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Espionage724 View Post
    I haven’t looked into FDE for a few years now, but I recall there being something about trim on SSDs. Can you run fstrim with FDE?
    Yes, this is possible, but you need to set the discard option in crypttab, which is not default.

    Comment


    • #12
      Originally posted by Espionage724 View Post

      Yeah that sounds familiar; can anything be done to decrypt or bypass the encryption with trim in that case? I don’t necessarily mind attackers knowing the drive is encrypted.
      It's theoretically possible to statistically correlate disk usage (number of used blocks) with certain known files in known encrypted implementations on disk patterns. Padding files on disk with random segments would defeat this. But so far as I know, no one has published practical cases where statistical analysis of blocks in use has been used. You can infer the contents of single files if you get a solid match, but how that would get you anywhere intelligence wise would be extremely case specific nor likely hold much water with Western democratic style justice systems. It's usually easier to brute force a weak key or coerce the key from the owner. And in other regimes, a rubber hose or firing squad trumps encryption any day.
      Last edited by stormcrow; 24 June 2022, 05:05 PM.

      Comment


      • #13
        Originally posted by Espionage724 View Post

        Yeah that sounds familiar; can anything be done to decrypt or bypass the encryption with trim in that case? I don’t necessarily mind attackers knowing the drive is encrypted.
        Disclaimer: I'm in no way an expert, so this is just me making blah-blah

        Filesystems probably leave certain patterns on the disk - where they put the metadata. If you find out which kind of filesystem is used by analyzing the patterns that get visible by trimming, that's the first step. With that info, you can probably already reconstruct some data as unencrypted (like: the superblock always is in sector 8192 for the madeup-fs and always starts wit the six letters "MaDeUp"). That weakens your encryption, because now the attacker can reason about the key used to encrypt that known data ("MaDeUp") to the also known encrypted data. I believe it's still pretty hard to reconstruct an encryption key even if you know both, unencrypted and encrypted data for "modern" algorithms - and here you probably only have tiny parts of unencrypted data. But it probably still gets a little easier than not knowing anything.

        I'd guess that the weakening trim might introduce doesn't matter for "home use".

        Comment


        • #14
          Anyone have the cryptsetup benchmark output for this laptop?

          Comment


          • #15
            There are so many interesting things you could highlight in a review on a laptop running Linux but Michael is like: "best I can do is benchmarking".
            I'm not saying it's not important but I would like to see other things mentioned. For example how tlp works and to which degree.

            Comment


            • #16
              Originally posted by mazumoto View Post
              It might also make "plausible deniability" impossible.
              Plausible deniability is not a thing anyway in this context. No one is going to believe you are lugging around a laptop with 1tb of random noise on the disk instead of an os and user data, specially when they can easily prove that you are regularly using said laptop to watch Netflix or whatever.

              Comment


              • #17
                Noob question perhaps: How does Pop OS encrypt the install if the laptop comes pre-loaded with Pop OS, does it simply do a re-install? Is only the users /home directory encrypted? I've setup FDE with manjaro and Ubuntu server before as well as FreeBSD and they all require the options to be set at install time so I'm curious how Pop OS can be different?

                Comment


                • #18
                  Originally posted by kylew77 View Post
                  Noob question perhaps: How does Pop OS encrypt the install if the laptop comes pre-loaded with Pop OS, does it simply do a re-install? Is only the users /home directory encrypted? I've setup FDE with manjaro and Ubuntu server before as well as FreeBSD and they all require the options to be set at install time so I'm curious how Pop OS can be different?
                  How it seems to happen is on first boot of the new system to basically trigger the actual OS install with the image on disk.
                  Michael Larabel
                  https://www.michaellarabel.com/

                  Comment


                  • #19
                    Originally posted by Espionage724 View Post
                    I haven’t looked into FDE for a few years now, but I recall there being something about trim on SSDs. Can you run fstrim with FDE?
                    OpenBSD- the security focused *BSD OS- doesn't support Trim on its FFS2 file system nor the FFS1 FS because of this very reason but as I saw a poster comment it only removes plausible deniability that you have an encrypted drive. There is a discussion about this very issue in the last OpenBSD release announcement on Phoronix earlier this year by people way smarter than me: https://www.phoronix.com/scan.php?pa...D-7.1-Released

                    Comment


                    • #20
                      Originally posted by Michael View Post

                      How it seems to happen is on first boot of the new system to basically trigger the actual OS install with the image on disk.
                      Thanks so much Michael for a direct response. Appreciate it sir. Keep up the good work! Next time you run another membership sale I'll probably re-up again. Love reading this website every single day sir.

                      Comment

                      Working...
                      X