Announcement

Collapse
No announcement yet.

The 2019 Laptop Performance Cost To Linux Full-Disk Encryption

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Michael
    Do you have tests planned how AES-based LUKS compares against Google's new Adiantum encryption? That would be interesting, especially with vs. without AES hardware acceleration.

    Also I think the choice of I/O scheduler is important to a degree, as it can partially mask the additional access latency incurred by LUKS.

    Comment


    • #22
      Originally posted by Slithery View Post
      Which would only be of any use if you could guarantee that no-one else had physical access to your machine. Otherwise they could drop a modified binary in your system path to do anything they wanted.
      Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.

      Originally posted by cybertraveler View Post
      If someone is targeting you specifically to steal data or deply malicious code on your systems and they can get physical access to the systems, pretty much all bets are off (unless you have one of those fancy ORWL computers, for instance).
      No, there exist concepts which are at least somewhat resistant against Evil Maid scenarios. Google Chromebooks are an example.

      Comment


      • #23
        What's the purpose of encrypting the OS disk or boot volumes? I encrypt /home and that's it. (Plus I have /tmp as a ram disk so its contents do not persist across reboots.)

        Comment


        • #24
          Originally posted by chithanh View Post

          No, there exist concepts which are at least somewhat resistant against Evil Maid scenarios. Google Chromebooks are an example.
          :P Re-read what I wrote, that you quoted.

          Comment


          • #25
            You need to benchmark (with) an Atom-class device. i7 is just not big enough a deal.

            Comment


            • #26
              Originally posted by [email protected] View Post
              Side note: I recently installed ubuntu on a friend's computer, and it looks like the installer doesn't offer any luks on lvm options, so we had to do it manually. I wonder what's the performance penalty of this, but I would expect it to be minimal compared to plain luks.
              Were you installing it with another OS? My 18.04 install uses a LUKS/LVM automatic setup and it looks like that is an option in the installer from some quick Googling:
              http://www.youtube.com/watch?v=pCsvj_bi0A8&t=3m10s

              From memory, though, the FDE options are more limited for dual-boot setups.

              Comment


              • #27
                Originally posted by chithanh View Post
                Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.

                No, there exist concepts which are at least somewhat resistant against Evil Maid scenarios. Google Chromebooks are an example.
                The "Attacker Model" section of
                https://www.ru.nl/publish/pages/9092...ft-paper_1.pdf
                does a good job of summarising the various threat models and where FDE helps (and does not).

                Comment


                • #28
                  Originally posted by chithanh View Post
                  Both LUKS full-disk encryption and /home encryption are susceptible to this problem. Neither is resistant against "Evil Maid" style attacks. Even if you boot from external media normally which contains the crypto keys (on USB or SD card or whatever), the attacker could still switch boot order to boot from a specially crafted internal partition, then corrupt your boot media, and then continue to boot from there.
                  What if you password-protect the BIOS and only allow to boot from external media after entering the password?

                  Comment


                  • #29
                    Regardless of performance I have been running FDE on every single system I manage for over 20 years. My biggest threat is thieves stealing hardware then having full access to the data and even basic FDE protects against that. Recently I have been looking to move to encrypted /boot due to very real espionage threats. I don't understand why management keeps hiring Chinese spies and giving them way too much access. "This time it will be different." Idiots.

                    Comment


                    • #30
                      Originally posted by cybertraveler View Post
                      :P Re-read what I wrote, that you quoted.
                      I was specifically referring to the "all bets are off" remark. If you boot a Chromebook and it does not give you the developer mode warning, then you can be reasonably sure that the verified boot process is still intact.

                      Originally posted by Aaron View Post
                      The "Attacker Model" section of
                      https://www.ru.nl/publish/pages/9092...ft-paper_1.pdf
                      does a good job of summarising the various threat models and where FDE helps (and does not).
                      The question was if FDE is more secure in any threat scenario than /home encryption, and I find nothing in the Attacker Model section that indicates it is.

                      Originally posted by Venemo View Post
                      What if you password-protect the BIOS and only allow to boot from external media after entering the password?
                      An Evil Maid has the ability to remove the local boot disk and modify it, or temporarily replace it with another one. Once booted, EFI boot order etc. can be manipulated from the operating system.

                      Comment

                      Working...
                      X