Slashdot Mirror
Locking Up Linux, Creating a Cryptobook
Tom's Hardware has a nice overview about some of the latest ways to secure your data looking specifically at open source solutions that wont lock down your credit card. Since many people presented performance issues for why they don't implement encryption there was also special attention given to how well your system will perform after implementation of encryption. From the article: "At least where LUKS is concerned, performance is hardly an issue - one must expect to pay some penalty for additional encryption facilities that handle unencrypted data transparently. All of these solutions are simple to set up and use on a daily basis, but LUKS is portable across Windows and Linux platforms."
Software encryption is fine, but there needs to be better and more widespread hardware encryption (NOT DRM) facilties that can be taken advantage of in a cross-platform manner..
Obliterate advertising!
Encryption won't protect you from hackers if you have the drives mounted 24/7.
It's only good for protection against stolen data, eg. usb drives or cds/dvds.
Or, if you keep your entire computer at unsecre location, and are afraid that someone will steal the entire machine(root crypto).
But remember, encrypted filesystems are vulnerable to cryptanalysis since they contain specific information at specific blocks even if encrypted(ext3 header etc..)
Encryption won't give you perfect cover, but if you really have something valuable to protect, it's decent way to go.
Performance WILL be an issue, don't be blinded with those luks graphs, real world performance will be much closer to the cryptfs/encfs performance numbers, but it's fast enough. Just encrypt what you have to. No need to encrypt entire system if you can get away just by encrypting home dir.
There are no atheists when recovering from tape backup.
I'm not sure I agree with this.
Software encryption is really superior to hardware in many ways. Basically the only way it's usually not superior is in terms of speed, and this is why you see hardware encryption implemented.
However, as general-purpose computers have gotten faster and faster, so that there's more surplus capacity for things like encryption and decryption on the fly, I see the need for hardware encryption becoming less and less.
There's just no reason to restrict yourself to a hardware-based system that's hard to upgrade and fix, when you can use a software system that can be kept in tune with the state of the art and is a lot easier to trust. Even if I'm a relatively interested and intelligent person, there's no way I can 'open up' a hardware encryption module and see what's going on inside. With software encryption, I can look at the source code (and provided I'm using a trusted compiler and toolchain) know what it's doing.
Furthermore, software encryption leads to more diversity in implementations. When you use hardware systems, the only way they're affordable is if there is an economy of scale. You don't make just a handful (or even a few thousand) hardware modules, you want to make tens or hundreds of thousands of them. That means it's automatically going to be a big target. With software, everyone can use something that fits their needs more completely, and the exposure of the system as a result of a single exploit is reduced.
Hardware encryption was fine when computers were too slow to encrypt data that was being written to disk on-the-fly. But now they are, and this means that you can use regular equipment, and use whatever cryptographic implementation you want, and upgrade it as often as is required, with minimal additional expense. In fact, if I was going to build a "hardware" encryption device today, I'd probably just design it around a general-purpose system-on-a-chip so that it would be easily reprogrammable. I can't imagine that for anything but the most specialized, very speed-intensive tasks, that a custom-made hardware solution is really advantageous.
Not that I'm saying that all cryptographic hardware is bad; there is definitely room for specialized components without making entire hardware encryptors: dedicated hardware random number generators, for instance, seem like they'll definitely have a place for the foreseeable future.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Every time you write a block to disk, it goes through a cryptographic checksum. Every time you send a TCP packet it goes through a checksum. The amount of CPU needed to do these checksums is not much different from the amount of CPU needed to do full encryption. We routinely use compression, which takes more CPU. If someone out there is thinking, "I would love to encrypt but I'm worried about performance", he's probably using a Mac Plus or a PC Jr or something. That isn't reality. Modern CPUs pipeline all these operations and do them so fast it will make no noticeable difference in anything.
As a desktop user, using hardware encryption will make no noticeable for anything. Even for servers, modern CPUs are so fast. A typical website spins its CPU on things like databases and bad PHP code. The SSL encryption hardly matters.
This isn't the 90s anymore. 2ghz CPUs are standard now. Dual CPUs are standard. I would be surprised if hardware encryptors have any edge over general-purpose CPUs these days.
So, then you put a hidden share in, and then put another hidden share inside that hidden share. Truecrypt hidden shares can be an arbitrary number of levels deep, and unless the authorities intend to just beat you until you die they're going to have to figure at some point that you might just be telling them the truth when you say there isn't another level...
The design of truecrypt is that it isn't possible to tell whether there is a hidden volume or not - it just looks like unused space.