![]() ![]() What kind of "attacker" do you want to protect against? Which encryption setup is appropriate for you will depend on your goals (please read #Why use encryption? above) and system parameters.Īmong other things, you will need to answer the following questions: Another benefit of system data encryption is that it complicates the installation of malware like keyloggers or rootkits for someone with physical access. This however comes with the disadvantage that unlocking of the encrypted parts of the disk has to happen at boot time. The solution is to encrypt both system and user data, preventing unauthorized physical access to private data that may be cached by the system. /var (log files and databases and such for example, mlocate stores an index of all file names in /var/lib/mlocate/mlocate.db).(potential remedies: avoid such applications mount /tmp inside a ramdisk)./tmp (temporary files created by user applications).(potential remedies: disable swapping, or use encrypted swap as well).In modern computer systems, there are many background processes that may cache and store information about user data or parts of the data itself in non-encrypted areas of the hard drive, like: While encrypting only the user data itself (often located within the home directory, or on removable media like a data DVD), is the simplest and least intrusive method, it has some significant drawbacks. The best remedy might be hardware-based full-disk encryption and Trusted Computing. And even then it cannot prevent all types of tampering (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system before you use it. Regular backups are recommended to keep your data safe.Ī very strong disk encryption setup (e.g. Also see XKCD #538ĭata-at-rest encryption also will not protect you against someone simply wiping your disk. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest. A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of coercion.Attackers who are able to gain physical access to the computer while it is running (even if you use a screenlocker), or very shortly after it was running, if they have the resources to perform a cold boot attack. ![]() over the Internet) while it is running and after you have already unlocked and mounted the encrypted parts of the disk.
0 Comments
Leave a Reply. |