[Discuss] Full disk encryption
The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. [...] Choosing a Disk Encryption Tool [...] -Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows. -TrueCrypt has the most cross-platform compatibility. -Mac OS X and most Linux distributions have their own full-disk encryption software built in. What makes Microsoft BitLocker better than TrueCrypt? Are you using full disk encryption? If so, what tool are you using? -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
No, I'm not for it. Just don't loose your laptop. Just don't leave your laptop, in the car, in high theft areas, like the Microcenter parking lot ;-( I've been at companies that demanded that everyone use it, and there is a performance hit. The one that we used was like a bios thing, it popped up and demanded the key before it would boot. If you have oodles of CPU and RAM, it is less annoying. The more likely scenario will be that people in corporate situations will be forced to use it. And then you won't like it. Thanks, Jim Gasek --- tmetro-...@vl.com wrote: From: Tom Metro To: L-blu Subject: [Discuss] Full disk encryption Date: Mon, 02 Jan 2012 19:55:34 -0500 The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues. Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. [...] Choosing a Disk Encryption Tool [...] -Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows. -TrueCrypt has the most cross-platform compatibility. -Mac OS X and most Linux distributions have their own full-disk encryption software built in. What makes Microsoft BitLocker better than TrueCrypt? Are you using full disk encryption? If so, what tool are you using? -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
I've used both TrueCrypt and BitLocker. I prefer BitLocker for a couple of reasons: The password used to decrypt the disk and log in to Windows is the same. Thus the process is more transparent for users. Instead of having to enter two (sometimes unrelated) passwords with Truecrypt, BitLocker users only enter one password. My users HATE truecrypt. They are prompted twice for passwords (Once preboot and once to log into Windows). Also, the preboot password doesn't correlate with the login password, especially if the Windows Password policy forces users to change their passwords at some interval. Hibernation and suspend is smoother and more reliable with BitLocker. Truecrypt sometimes requires you to enter the PreBoot password to resume your system, where as BitLocker has the standard Windows login screen when you resume. >From a deployment standard Truecrypt is easier. BitLocker requires some strange partitioning setups (a 1.5GB Boot Partition followed by a system partition). I've not found a way to reliably resize these partitions without repartitioning and reinstalling Windows. As for OS X encryption, it sucks. FileVault doesn't work reliably with Time Machine. My experience prevented me from restoring a TimeMachine backup from an encrypted machine to my laptop when my hard disk crashed. I don't trust it. Chris On Mon, Jan 2, 2012 at 7:55 PM, Tom Metro wrote: > The EFF recently tweeted > (http://twitter.com/#!/EFF/status/153306301965938688): > @EFF > Call to action for 2012: full disk encryption on every machine you > own! Who's with us? eff.org/r.3Ng > > Which links to this article: > > https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own > > Many of us now have private information on our computers: personal > records, business data, e-mails, web history, or information we have > about our friends, family, or colleagues. Encryption is a great way > to ensure that your data will remain safe when you travel or if your > laptop is lost or stolen. > [...] > Choosing a Disk Encryption Tool > [...] > -Microsoft BitLocker in its most secure mode is the gold standard > because it protects against more attack modes than other software. > Unfortunately, Microsoft has only made it available with certain > versions of Microsoft Windows. > -TrueCrypt has the most cross-platform compatibility. > -Mac OS X and most Linux distributions have their own full-disk > encryption software built in. > > > What makes Microsoft BitLocker better than TrueCrypt? > > Are you using full disk encryption? If so, what tool are you using? > > -Tom > > -- > Tom Metro > Venture Logic, Newton, MA, USA > "Enterprise solutions through open source." > Professional Profile: http://tmetro.venturelogic.com/ > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
BitLocker claims a "single digit percentage hit." Personally I've not noticed it. ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. Performance will drop by 30% and the drive's wear-leveling system and TRIM won't function correctly. On Mon, Jan 2, 2012 at 8:10 PM, Jim Gasek wrote: > No, I'm not for it. > > Just don't loose your laptop. Just don't > leave your laptop, in the car, in high theft > areas, like the Microcenter parking lot ;-( > > I've been at companies that demanded that > everyone use it, and there is a performance > hit. The one that we used was like a bios > thing, it popped up and demanded the key > before it would boot. > > If you have oodles of CPU and RAM, it is less > annoying. > > The more likely scenario will be that people > in corporate situations will be forced to > use it. And then you won't like it. > > > Thanks, > Jim Gasek > > --- tmetro-...@vl.com wrote: > > From: Tom Metro > To: L-blu > Subject: [Discuss] Full disk encryption > Date: Mon, 02 Jan 2012 19:55:34 -0500 > > The EFF recently tweeted > (http://twitter.com/#!/EFF/status/153306301965938688): > @EFF > Call to action for 2012: full disk encryption on every machine you > own! Who's with us? eff.org/r.3Ng > > Which links to this article: > > https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own > > Many of us now have private information on our computers: personal > records, business data, e-mails, web history, or information we have > about our friends, family, or colleagues. Encryption is a great way > to ensure that your data will remain safe when you travel or if your > laptop is lost or stolen. > [...] > Choosing a Disk Encryption Tool > [...] > -Microsoft BitLocker in its most secure mode is the gold standard > because it protects against more attack modes than other software. > Unfortunately, Microsoft has only made it available with certain > versions of Microsoft Windows. > -TrueCrypt has the most cross-platform compatibility. > -Mac OS X and most Linux distributions have their own full-disk > encryption software built in. > > > What makes Microsoft BitLocker better than TrueCrypt? > > Are you using full disk encryption? If so, what tool are you using? > > -Tom > > -- > Tom Metro > Venture Logic, Newton, MA, USA > "Enterprise solutions through open source." > Professional Profile: http://tmetro.venturelogic.com/ > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 2, 2012, at 7:55 PM, Tom Metro wrote: > > What makes Microsoft BitLocker better than TrueCrypt? "... because it protects against more attack modes than other software." > Are you using full disk encryption? If so, what tool are you using? I don't. I take care of my gear. I made this statement before: I see WDE as enabler for carelessness. We keep hearing about "lost" notebooks with sensitive information on them. If the bearers of those notebooks weren't so careless then their notebooks wouldn't have been lost in the first place. Better still, if the data on those laptops were kept on secure servers with controlled VPN access instead of on portable equipment then loss of that portable equipment wouldn't be an issue. Legacy FileVault restore is a PITA. You can't restore normally. You either restore the entire sparsebundle for the user's home directory or mount the backup volume and pluck out files by hand. FileVault2 addresses this because it is a WDE system, but FV2 has its own issues. And this is the great big rub with WDE: backups. File-level backups are decrypted when sent to the backup system unless the backup system itself re-encrypts everything. One MITM attack and everything is compromised. Container and block backups require restoring the entire container or block device; they can't be used to restore single files, at least not without great difficulty, and block device (bare metal) restores usually need to restored to identical hardware to work correctly. I had TrueCrypt WDE on my netbook and BitLocker on my gaming rig at home. I ripped them out because of the backup/restore hassles. The perception of security just isn't worth it. Never mind that I have a pair of Mac Minis playing server. Sometimes they need to be restarted remotely. Can't do that with WDE. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
>What makes Microsoft BitLocker better than TrueCrypt? I've used TrueCrypt; no experience w/ BitLocker. >Are you using full disk encryption? If so, what tool are you using? I use Ubuntu which allows encryption of the home directory. I keep all of my personal/sensitive stuff in the home directory, so I figured encrypting the home dir would be enough. The decryption happens upon login and my password is sufficiently long. Any thoughts on the kind of security risk I might be vulnerable to because I only encrypt my home dir as opposed to the full disk? I recently came across advice to use cascading encryption, which I understand to mean "nesting" encryption, where each is a different kind (aes, blowfish, etc.) This seems overkill for most folks. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 1/3/2012 12:16 AM, a k'wala wrote: Any thoughts on the kind of security risk I might be vulnerable to because I only encrypt my home dir as opposed to the full disk? Many applications use /tmp or /var files as working storage, and they leave ghosts behind. Bill -- Bill Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Mon, Jan 02, 2012 at 08:12:28PM -0500, Chris O'Connell wrote: > BitLocker claims a "single digit percentage hit." Personally I've not > noticed it. > > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. > Performance will drop by 30% and the drive's wear-leveling system and TRIM > won't function correctly. I'm using LUKS w/TRIM support on an SSD. Slightly less secure, but SSD-friendly. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
I run Symantec PGP Whole Disk Encryption on my work PC (as required by IBM). No problems so far. On 01/02/2012 07:55 PM, Tom Metro wrote: > The EFF recently tweeted > (http://twitter.com/#!/EFF/status/153306301965938688): > @EFF > Call to action for 2012: full disk encryption on every machine you > own! Who's with us? eff.org/r.3Ng > > Which links to this article: > https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own > > Many of us now have private information on our computers: personal > records, business data, e-mails, web history, or information we have > about our friends, family, or colleagues. Encryption is a great way > to ensure that your data will remain safe when you travel or if your > laptop is lost or stolen. > [...] > Choosing a Disk Encryption Tool > [...] > -Microsoft BitLocker in its most secure mode is the gold standard >because it protects against more attack modes than other software. >Unfortunately, Microsoft has only made it available with certain >versions of Microsoft Windows. > -TrueCrypt has the most cross-platform compatibility. > -Mac OS X and most Linux distributions have their own full-disk >encryption software built in. > > > What makes Microsoft BitLocker better than TrueCrypt? > > Are you using full disk encryption? If so, what tool are you using? > > -Tom > -- Jerry Feldman Boston Linux and Unix PGP key id:3BC1EB90 PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/02/2012 08:10 PM, Chris O'Connell wrote: > The password used to decrypt the disk and log in to Windows is the same. > Thus the process is more transparent for users. Instead of having to > enter two (sometimes unrelated) passwords with Truecrypt, BitLocker users > only enter one password. Same with Symantec PGP. As a matter of fact I have a BIOS password, as well as a PGP as well as computer password as well as IBM intranet password. When I log into PGP, it also logs me into the system. The BIOS password is intermittent. Sometimes it requires it sometimes not. At the IBM training webinar the presenter suggestd using the same passwords for all. However I have a different password for Lotus Notes because the password rules are different. In any case, next time I change my passwords, I'll coordinate all of them. -- Jerry Feldman Boston Linux and Unix PGP key id:3BC1EB90 PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Mon, 2 Jan 2012, Tom Metro wrote: The EFF recently tweeted (http://twitter.com/#!/EFF/status/153306301965938688): @EFF Call to action for 2012: full disk encryption on every machine you own! Who's with us? eff.org/r.3Ng Which links to this article: https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own We have a dozen or so machines with data supplied on the condition that they not be networked and be fully encrypted. They are used intermittently and the fear (of the data sources) is they might be stolen. I don't see much point in encrypting data on a network server - if the disk is mounted then the plain-text is available to an intruder and the addition of an encrypted version doesn't enhance security. For a standalone machine, it does seem to offer us protection against getting in trouble with the state of Massachusetts over disclosure of financial data should the system be lost or mislaid. That is valuable to us. We have both Fedora and Windows machines. The built-in Fedora encryption is no trouble to establish (just check the box during installation) and maintain and on a multi-core desktop does not affect performance. An update from Fedora 13 to 16 did damage the boot record and make the disk unreadable, so I wouldn't try doing an update again. For a non-networked machine there isn't much need for updates, anyway. On Windows, we have never used bitlocker, but have good experience with Compusec. http://www.ce-infosys.com/english/free_compusec/free_compusec.aspx It is extrememly easy to install and I like the ability to add an administrative password in case the user forgets the user password. It was not compatible with software RAID. I have used Truecrypt, but am put off by the documentation, which suggests that the primary purpose of encryption is to avoid police inspection. As xkcd pointed out, this is hopeless ( http://xkcd.com/538/ ). In both cases, I would like to see the encryption password (not the login password) used to unlock the screen (and reestablish decryption), but this does not seem to be available. My understanding is that the underlying encryption systems make password guessing by brute force extremely slow, so that frequent password changes are not required, not that all agencies agree. Daniel Feenberg ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
At my company we are using BitLocker. Not on every machine right now, but that is the goal eventually. One of the huge benefits I think is that the encryption keys/recovery keys can be stored in AD. So that if you need to unlock or change the drives around you don't need to have the user store that some place to get lost/stolen. It stores in AD and can be recovered when we need it. Its a pretty simple solution for the most part because we are using Windows Deployment Toolkit to image the machines and then BitLocker runs after the deployment is done. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > bounces+blu=nedharvey@blu.org] On Behalf Of Jim Gasek > > there is a performance > hit. There may be a performance hit in some situations, but not on modern or decent computers with decent encryption. I have two points to back this up: I have a Core2 laptop running windows. I benchmarked it before enabling bitlocker, and again after enabling bitlocker. I found the performance was equal in both situations, but when bitlocker was enabled, I had 30-35% increase cpu load. In later processors (i7 for example) they support the AES instruction set, which reduces this by 1-2 orders of magnitude, which means there is no significant performance difference. > The more likely scenario will be that people > in corporate situations will be forced to > use it. And then you won't like it. I deploy bitlocker and filevault to all my users, and they don't notice it or care. Except some - Some people demand it explicitly because they are concerned about their data being stolen. Nobody is opposed to it. Not a single person. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell > > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. > Performance will drop by 30% and the drive's wear-leveling system and > TRIM > won't function correctly. First of all, the supposed 30% performance hit takes you down from 200% to 170% performance as compared to an HDD (or whatever arbitrary numbers we want to make up for comparing HDD vs SSD performance where SSD performance > HDD performance). Second of all, some OSes support TRIM on encrypted drives. They just reduce the size of disk they consume by some percentage, and TRIM the unused blocks as necessary, so there are always some blocks available for use that have been TRIM'd. Third of all, some SSD's support the virtual size reduction as above, but do it at the hardware level, so there are always TRIM'd blocks available. In any of the above scenarios, the end result is no significant performance degradation on SSD's caused by TRIM vs Encryption. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
> From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > bounces+blu=nedharvey@blu.org] On Behalf Of Tom Metro > > What makes Microsoft BitLocker better than TrueCrypt? Each is better in its own way. Bitlocker is better if you're an IT person who wants to protect your internal users from external attackers, and you want to ensure you're still able to access the internal users' data, if the internal user goes away for some reason. It's easy for you to deploy and control centrally, and users don't notice it or complain about it. Bitlocker is easier to use - No password necessary at boot time. The TPM performs some system biometrics (checksum the BIOS, serial number, various other magic ingredients, and only unlock the hard drive if the system has been untampered. Therefore you are actually as secure as your OS.) Truecrypt is better if you are a user, who cannot trust his IT people. You want to keep the kiddie porn, the plans for the remote government's nuclear program secret from all people, period. > Are you using full disk encryption? If so, what tool are you using? I am using Truecrypt on windows. Filevault on OSX Lion. Nothing on OSX Snow Leopard. Nothing on linux. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
That has not been my experience at all. I have personally encrypted two machines that had SSD drives, both had modern CPUS, one was an I3 and one an I7. There was a substantially noticeable decrease in performance using TrueCrypt. In fact, the wait times increased so much after encrypting that I grew impatient waiting for boot times and Microsoft Office load times. This article has some scientific testing regarding performance on SSD drives that are encrypted: http://media-addicted.de/ssd-and-truecrypt-durability-and-performance-issues/744/ On Tue, Jan 3, 2012 at 12:07 PM, Edward Ned Harvey wrote: > > From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > > bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell > > > > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. > > Performance will drop by 30% and the drive's wear-leveling system and > > TRIM > > won't function correctly. > > First of all, the supposed 30% performance hit takes you down from 200% to > 170% performance as compared to an HDD (or whatever arbitrary numbers we > want to make up for comparing HDD vs SSD performance where SSD performance > > > HDD performance). > > Second of all, some OSes support TRIM on encrypted drives. They just > reduce > the size of disk they consume by some percentage, and TRIM the unused > blocks > as necessary, so there are always some blocks available for use that have > been TRIM'd. > > Third of all, some SSD's support the virtual size reduction as above, but > do > it at the hardware level, so there are always TRIM'd blocks available. > > In any of the above scenarios, the end result is no significant performance > degradation on SSD's caused by TRIM vs Encryption. > > -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
A couple of more supporting links regarding TRIM and wear-leveling (from Truecrypt): http://www.truecrypt.org/docs/?s=trim-operation http://www.truecrypt.org/docs/?s=wear-leveling On Tue, Jan 3, 2012 at 12:21 PM, Chris O'Connell wrote: > That has not been my experience at all. I have personally encrypted two > machines that had SSD drives, both had modern CPUS, one was an I3 and one > an I7. There was a substantially noticeable decrease in performance using > TrueCrypt. In fact, the wait times increased so much after encrypting that > I grew impatient waiting for boot times and Microsoft Office load times. > > This article has some scientific testing regarding performance on SSD > drives that are encrypted: > > http://media-addicted.de/ssd-and-truecrypt-durability-and-performance-issues/744/ > > > > > On Tue, Jan 3, 2012 at 12:07 PM, Edward Ned Harvey wrote: > >> > From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- >> > bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell >> > >> > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. >> > Performance will drop by 30% and the drive's wear-leveling system and >> > TRIM >> > won't function correctly. >> >> First of all, the supposed 30% performance hit takes you down from 200% to >> 170% performance as compared to an HDD (or whatever arbitrary numbers we >> want to make up for comparing HDD vs SSD performance where SSD >> performance > >> HDD performance). >> >> Second of all, some OSes support TRIM on encrypted drives. They just >> reduce >> the size of disk they consume by some percentage, and TRIM the unused >> blocks >> as necessary, so there are always some blocks available for use that have >> been TRIM'd. >> >> Third of all, some SSD's support the virtual size reduction as above, but >> do >> it at the hardware level, so there are always TRIM'd blocks available. >> >> In any of the above scenarios, the end result is no significant >> performance >> degradation on SSD's caused by TRIM vs Encryption. >> >> > > > -- > Chris O'Connell > http://outlookoutbox.blogspot.com > > -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
> From: Chris O'Connell [mailto:omegah...@gmail.com] > > (snipped and moved top post to bottom) > >> On Tue, Jan 3, 2012 at 12:07 PM, Edward Ned Harvey >> wrote: >> > >> > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. >> > Performance will drop by 30% and the drive's wear-leveling system and >> > TRIM >> > won't function correctly. >> >> First of all, the supposed 30% performance hit takes you down from 200% to >> 170% performance as compared to an HDD (or whatever arbitrary numbers >> we >> want to make up for comparing HDD vs SSD performance where SSD >> performance > >> HDD performance). >> >> Second of all, some OSes support TRIM on encrypted drives. They just >> reduce >> the size of disk they consume by some percentage, and TRIM the unused >> blocks >> as necessary, so there are always some blocks available for use that have >> been TRIM'd. >> >> Third of all, some SSD's support the virtual size reduction as above, but do >> it at the hardware level, so there are always TRIM'd blocks available. >> >> In any of the above scenarios, the end result is no significant performance >> degradation on SSD's caused by TRIM vs Encryption. >> > That has not been my experience at all. I have personally encrypted two > machines that had SSD drives, both had modern CPUS, one was an I3 and > one an I7. There was a substantially noticeable decrease in performance > using TrueCrypt. In fact, the wait times increased so much after encrypting > that I grew impatient waiting for boot times and Microsoft Office load times. Your first comment was about TRIM as it relates to SSD's. TRIM is only applicable for write performance. Your read performance is the same regardless of TRIM. Your second comment is about booting windows (a bunch of read operations) on SSD encrypted by truecrypt. If this performs poorly, it's because of truecrypt performing poorly, unrelated to SSD or TRIM. I previously commented, "There may be a performance hit in some situations, but not on modern or decent computers with decent encryption." I would have expected truecrypt to perform well, and I am surprised that at least in your case, truecrypt is not what I am calling "decent" encryption. I don't know if perhaps there's a configuration issue you're able to change and correct... Upgrade to a later version of truecrypt, or change the encryption protocols (AES vs Serpent vs Blowfish etc). Perhaps there's a known issue where truecrypt performs poorly on certain types of hardware - I don't know. But I do know that I deploy bitlocker on SSD's to users, and it works great. You should expect it to work great, including truecrypt. If your performance is bad on truecrypt, I suggest tweaking it, I suggest trying something else (like bitlocker, if it's acceptable to you) and I suggest contacting the truecrypt guys for support. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
> From: Chris O'Connell [mailto:omegah...@gmail.com] > > http://www.truecrypt.org/docs/?s=trim-operation Given: Truecrypt permits TRIM. And if you TRIM, an attacker may be able to identify some information, such as degrading your plausible deniability in some cases, or something like that. > http://www.truecrypt.org/docs/?s=wear-leveling Given: Thanks to wear leveling, multiple copies of data may exist in storage. Given: If an attacker has access to multiple copies of encrypted data, it may reduce the work necessary for the attacker to decrypt the information. Now, following "some logic," we conclude "Never encrypt an SSD." Could you please explain the logic? It seems, running without encryption, you would give up far more than the above. You might want to revise your comment? Instead, "Never use an SSD, because even with encryption, it's not secure enough for your taste?" > > From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > > bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell > > > > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. > > Performance will drop by 30% and the drive's wear-leveling system and > > TRIM > > won't function correctly. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Perhaps the use of the word "NEVER" is too strong or misleading. From personal experience I can say that given the performance decrease using TrueCrypt on an SSD drive "I would never encrypt an SSD drive using TrueCrypt." I haven't tried BitLocker on an SSD drive yet. You have really proven your point Ed! Chris On Tue, Jan 3, 2012 at 2:33 PM, Edward Ned Harvey wrote: > > From: Chris O'Connell [mailto:omegah...@gmail.com] > > > > http://www.truecrypt.org/docs/?s=trim-operation > > Given: Truecrypt permits TRIM. And if you TRIM, an attacker may be able > to identify some information, such as degrading your plausible deniability > in some cases, or something like that. > > > > http://www.truecrypt.org/docs/?s=wear-leveling > > Given: Thanks to wear leveling, multiple copies of data may exist in > storage. > Given: If an attacker has access to multiple copies of encrypted data, it > may reduce the work necessary for the attacker to decrypt the information. > > Now, following "some logic," we conclude "Never encrypt an SSD." Could you > please explain the logic? > It seems, running without encryption, you would give up far more than the > above. > > You might want to revise your comment? Instead, "Never use an SSD, because > even with encryption, it's not secure enough for your taste?" > > > > > From: discuss-bounces+blu=nedharvey@blu.org [mailto:discuss- > > > bounces+blu=nedharvey@blu.org] On Behalf Of Chris O'Connell > > > > > > ALSO, NO FULL DISK ENCRYPTION should ever be used on an SSD drive. > > > Performance will drop by 30% and the drive's wear-leveling system and > > > TRIM > > > won't function correctly. > > > -- Chris O'Connell http://outlookoutbox.blogspot.com ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Bill Horne wrote: > Oa k'wala wrote: >> Any thoughts on the kind of security risk I might be vulnerable to >> because I only encrypt my home dir as opposed to the full disk? > > Many applications use /tmp or /var files as working storage, and they > leave ghosts behind. As does swap. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Daniel Feenberg wrote: > The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Tue, 3 Jan 2012, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an From http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption#Introduction_to_LUKS Fedora 9's default implementation of LUKS is AES 128 with a SHA256 hashing. Ciphers that are available are: AES - Advanced Encryption Standard - FIPS PUB 197 twofish - Twofish: A 128-Bit Block Cipher serpent cast5 - RFC 2144 cast6 - RFC 2612 integrated solution? I believe Ubuntu has the same, haven't tried it or any other distribution. Daniel Feenberg -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 3, 2012, at 9:09 AM, Kyle Leslie wrote: > > One of the huge benefits I think is that the encryption keys/recovery keys > can be stored in AD. So that if you need to unlock or change the drives > around you don't need to have the user store that some place to get > lost/stolen. It stores in AD and can be recovered when we need it. This is, of course, the singular benefit of key escrow. Of course, if your AD is compromised then the attacker has access to *all* of your escrowed keys. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
Daniel Feenberg wrote: > Tom Metro wrote: >> What tool do they use? > > http://fedoraproject.org/wiki/Implementing_LUKS_Disk_Encryption#Introduction_to_LUKS > Fedora 9's default implementation of LUKS is AES 128 with a SHA256 > hashing. I'm assuming they're using an existing OSS encryption project and didn't invent their own. According to: http://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS is a specification to facilitate interoperability between encryption software. It says dm-crypt is the reference implementation of LUKS on Linux: http://en.wikipedia.org/wiki/Dm-crypt The Fedora article makes no mention of dm-crypt, but does reference cryptsetup, which is built on dm-crypt (so it seems): http://code.google.com/p/cryptsetup/ -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
gpg, virtualbox and /home encryption. only santa knows what i'm doing and he doesn't care. - eric c ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for "private" home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/03/2012 08:50 AM, Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish (just check the box during installation) and maintain and on a multi-core desktop does not affect performance. An update from Fedora 13 to 16 did damage the boot record and make the disk unreadable, so I wouldn't try doing an update again. For a non-networked machine there isn't much need for updates, anyway. FWIW, I've upgraded multiple Fedora boxes where everything but the /boot partition was encrypted several times. I never had any issues. There are two potential problems I can think of that you might have tripped over. First, you skipped too many releases; they generally only support skipping 1 release on upgrades I think (so 14->16 is ok, but 13->16 is not tested at all). The other issue that I ran into on an F16 upgrade recently was completely unrelated to encryption (ie this box did not use encrypted anything). Grub2 refused to install, giving a message: /sbin/grub2-setup: warn: Your embedding area is unusually small. core.img won't fit in it.. /sbin/grub2-setup: warn: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.. /sbin/grub2-setup: error: will not proceed with blocklists. Turns out (luckily) this error didn't corrupt anything, and in fact left the old grub1 install in-tact in the MBR. So i just had to copy the kernel boot lines to the old grub.conf and I was good to go. Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/03/2012 11:46 PM, Eric Chadbourne wrote: gpg, virtualbox and /home encryption. only santa knows what i'm doing and he doesn't care. ...because you're permanently on the naughty list? :-P ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for "private" home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Does this work with UEFI BIOS motherboards? Does anything? Daniel Feenberg Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On 01/04/2012 04:23 PM, Daniel Feenberg wrote: On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for "private" home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Does this work with UEFI BIOS motherboards? Does anything? It's sort of orthogonal to UEFI I think; the secure boot mode of UEFI really just controls launching of the bootloader. It doesn't encrypt/decrypt anything, it's just check-summing and then executing. Am I wrong? Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Jan 4, 2012, at 1:31 PM, Matthew Gillen wrote: > > Fedora allows you to do whole partition/volume encryption with the installer > very easily. Fedora does so using dm-crypt/LUKS which can encrypt arbitrary block devices. Fedora provides the option to encrypt entire disks or individual partitions. Ubuntu uses eCryptfs on top of the native file system to provide file-level encryption. Two very different approaches. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption
On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/04/2012 04:23 PM, Daniel Feenberg wrote: On Wed, 4 Jan 2012, Matthew Gillen wrote: On 01/03/2012 05:03 PM, Tom Metro wrote: Daniel Feenberg wrote: The built-in Fedora encryption is no trouble to establish... What tool do they use? Any other distributions that provide an integrated solution? Fedora allows you to do whole partition/volume encryption with the installer very easily. The last time I tried Ubuntu (a couple years ago), there was an option for "private" home directories. It would create an encrypted volume for your home directory that was keyed to your password. It would then get unlocked and mounted when you logged in. Fedora does something closer to WDE. Does this work with UEFI BIOS motherboards? Does anything? It's sort of orthogonal to UEFI I think; the secure boot mode of UEFI really just controls launching of the bootloader. It doesn't encrypt/decrypt anything, it's just check-summing and then executing. From my experience, Truecrypt and Compusec are incompatible with UEFI BIOS, and the Winmagic (Securedoc) documentation mentions this limitation explicitly. Those are all Windows programs, and I expect Linux could be quite a different situation, but in the absence of any visible information on the topic, I have no idea. Presumably there would be no interference with non-boot partitions, but what about boot partitions? I would leave the boot partition unencrypted, but I already signed agreements promising FDE for the machines, not realizing that UEFI would make that difficult. Daniel Feenberg Am I wrong? Matt ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
Richard Pieri wrote: > Tom Metro wrote: >> Are you using full disk encryption? > > I don't. I take care of my gear. I made this statement before: I > see WDE as enabler for carelessness. The EFF article I quoted references a prior EFF article on border crossing inspections. The encouragement to encrypt was more for privacy than for theft prevention. As someone who goes through US Customs several times a year, this gives me some concern, albeit minor. You may think you have nothing to hide, but why open yourself up to a potential fishing expedition? With the way copyright laws are trending (see SOPA), it wouldn't surprise me if being caught with a downloaded broadcast TV show on your computer will someday result in felony charges. > Never mind that I have a pair of Mac Minis playing server. Sometimes > they need to be restarted remotely. Can't do that with WDE. I guess for that you'd need a console server. Daniel Feenberg wrote: > I don't see much point in encrypting data on a network server - if the > disk is mounted then the plain-text is available to an intruder and the > addition of an encrypted version doesn't enhance security. It does if the intruder is physically stealing the disk drive or the server. This would also likely apply in a government seizure scenario. They'd likely remove the equipment from the premises first, and attempt access later. (Though maybe they've wised up to this possibility?0 So yeah, you're guarding against a highly unlikely scenario, but it still has some benefit. > I have used Truecrypt, but am put off by the documentation, which > suggests that the primary purpose of encryption is to avoid police > inspection. As xkcd pointed out, this is hopeless > ( http://xkcd.com/538/ ). [The cartoon makes the point that you can be tortured with a $5 wrench to give up your password, so your high-tech encryption is pointless.] But this is what plausible deniability is all about: http://www.truecrypt.org/docs/?s=plausible-deniability If you're in a situation where law enforcement *knows* you have something they want on your disk, you've got bigger problems than your choice of full disk encryption software. :-) -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
Richard Pieri wrote: > And this is the great big rub with WDE: backups. File-level backups > are decrypted when sent to the backup system unless the backup system > itself re-encrypts everything. I'm not sure I see the big problem with backups, unless you simply find file-level backups undesirable in general. If you are performing backups while on your LAN, sending the data in the clear should be of minor concern. The backup system can then encrypt. If you are off-site, then use one of the backup systems that encrypt locally before sending the data over the wire. Systems like this are becoming increasingly common. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
> Richard Pieri wrote: > > And this is the great big rub with WDE: backups. File-level backups > > are decrypted when sent to the backup system unless the backup system > > itself re-encrypts everything. Generalizations galore! ;-) I suppose that depends on your choice of backup software, now doesn't it? In filevault, you have whole disk encryption, and in time machine, you have backup disk encryption too. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
On Jan 3, 2012, at 5:11 PM, Tom Metro wrote: > > I'm not sure I see the big problem with backups, unless you simply find > file-level backups undesirable in general. With WDE, you either decrypt-recrypt everything during backups which means that there is a point in the process where you have no security/privacy on the data, or you back up the entire container at the block level which makes single-file restores impossible (or at least rather convoluted). WDE is a no-win, IMO. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
On Jan 3, 2012, at 5:59 PM, Edward Ned Harvey wrote: > > In filevault, you have whole disk encryption, and in time machine, you have > backup disk encryption too. Time Machine does no encryption whatsoever. FileVault encrypts home directories in disk images similar to TrueCrypt container files. These are dumped as-are to Time Machine volumes so these at least are encrypted. This is why Apple created the sparsebundle, because sparseimages were clobbering Time Machine in 10.4. In 10.5, only the changed bands within the sparsebundle are dumped. These disk images are troublesome to restore: either you restore the entire disk image or you mount the image and pluck out files by hand. FileVault 2 is WDE. FileVault 2 can be used to encrypt entire Time Machine volumes. But this means decrypting on reads from the source volume and recrypting on the target volume. All exactly as I wrote. --Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
Richard Pieri wrote: > om Metro wrote: >> I'm not sure I see the big problem with backups, unless you simply >> find file-level backups undesirable in general. > > With WDE, you either decrypt-recrypt everything during backups which > means that there is a point in the process where you have no > security/privacy on the data... Ummm...yeah. You do realize that in order to use your data you need to decrypt it, right? :-) You can make a case that decrypting and then re-encrypting data before you send it off the machine to your backup service is inefficient, but it isn't insecure. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Tue, Jan 3, 2012 at 5:01 PM, Tom Metro wrote: >... > Daniel Feenberg wrote: >> I don't see much point in encrypting data on a network server - if the >> disk is mounted then the plain-text is available to an intruder and the >> addition of an encrypted version doesn't enhance security. > > It does if the intruder is physically stealing the disk drive or the > server. This would also likely apply in a government seizure scenario. > They'd likely remove the equipment from the premises first, and attempt > access later. (Though maybe they've wised up to this possibility?0 Well at least some of them have. I just heard about a company selling a product to maintain power on seized computers while you transport them: http://www.wiebetech.com/products/HotPlug.php It came up in the context of moving servers from one power jack to another one due to data center power changes. (Someone wanted to avoid downtime.) Bill Bogstad ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On 1/3/2012 11:56 PM, Bill Bogstad wrote: I just heard about a company selling a product to maintain power on seized computers while you transport them: http://www.wiebetech.com/products/HotPlug.php It came up in the context of moving servers from one power jack to another one due to data center power changes. (Someone wanted to avoid downtime.) Anyone buying this device would do well to have paid-up life insurance: the company is selling a UPS, but they're also selling "cheater" cords that allow their UPS to power a "live" outlet with a double-male connection cord, and that's flat-out dangerous. Bill -- Bill Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption and backups
On 1/3/2012 10:32 PM, Tom Metro wrote: Ummm...yeah. You do realize that in order to use your data you need to decrypt it, right? :-) Yeah, but that data remains local within hopefully protected memory areas. Bacukps usually run to external storage of some sort, be they flash drives or NAS or what have you. Take the Firewire or USB link bewteen a Macintosh and its Time Machine disk. This link is completely unauthenticated and unsecured. An attacker could tap that connection without any difficulty. There are ways to deal with this but they add complexity to the backup system. The more complex you make the backup system, the more difficult you make it to use. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Wed, Jan 04, 2012 at 09:24:47AM -0500, Bill Horne wrote: > Anyone buying this device would do well to have paid-up life insurance: > the company is selling a UPS, but they're also selling "cheater" cords > that allow their UPS to power a "live" outlet with a double-male > connection cord, and that's flat-out dangerous. It's not a UPS. You have to supply your own UPS to power their capture unit. And it doesn't appear to power the outlet until after the mains power is cut. That's the "Patent-pending technology" part I suppose. -ben -- be alone, that is the secret of invention; be alone, that is when ideas are born. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On Wed, Jan 4, 2012 at 1:39 PM, Ben Eisenbraun wrote: > On Wed, Jan 04, 2012 at 09:24:47AM -0500, Bill Horne wrote: >> Anyone buying this device would do well to have paid-up life insurance: >> the company is selling a UPS, but they're also selling "cheater" cords >> that allow their UPS to power a "live" outlet with a double-male >> connection cord, and that's flat-out dangerous. > > It's not a UPS. You have to supply your own UPS to power their capture > unit. And it doesn't appear to power the outlet until after the mains > power is cut. That's the "Patent-pending technology" part I suppose. My guess is that they basically have boxed up just the switching portion of a standby (offline) UPS. Not all systems like that kind of UPS. OTOH, many cheap UPS do it that way so it clearly works well enough for many uses. The videos where you go into the wall and clip wires or pull a plug partially out of a sock are potentially dangerous, but don't seem too bad as long as you are careful. Bill Bogstad ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
Starts sounding like it might be best to get a system like off-the-grid folks have, where they run inverters full time from batteries, and charge the batteries from whatever is available (PV solar, generators, wind, tractor/generators, steam engine/generators, or even just charger from the grid, etc) homepower.com has Home Power magazine that has lots of power solutions. Also, cheap inverters tend to make square or 'blocky' type AC current, where good 'full sign wave' inverters make 'good looking' power that most devices handle without any issue. Some UPSes have the same problem. I hope this helps some folks... ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
On 1/4/2012 1:39 PM, Ben Eisenbraun wrote: On Wed, Jan 04, 2012 at 09:24:47AM -0500, Bill Horne wrote: Anyone buying this device would do well to have paid-up life insurance: the company is selling a UPS, but they're also selling "cheater" cords that allow their UPS to power a "live" outlet with a double-male connection cord, and that's flat-out dangerous. It's not a UPS. You have to supply your own UPS to power their capture unit. And it doesn't appear to power the outlet until after the mains power is cut. That's the "Patent-pending technology" part I suppose. It may not be a UPS, but AFAICT it's also not UL or ETL listed. That's a $10,000 fine if an employee gets injured, and a "you betcha" lawsuit that will probably end a career, and an accident might even result in jail time. I'm sorry to be such a spoilsport, but this stuff is /not/ software, and it is /not/ for amateurs: you don't learn about power factors and Class Zero gloves by trial-and-error. Please consider these facts, which the manufacturer does not mention on their website: 1. Cutting wires that are carrying power is dangerous and error-prone, but this manufacturer implies that it can be done safely by amateurs. The /best/ result one can hope for is to "burn a hole" in the cutting tools, thus ruining them. At worst, flash burns and pieces of molten metal flying in unpredictable directions. Men have been blinded by such events. 2. Without a UL or ETL listing, there is no guarantee that the actual switching circuitry inside this device is designed to interrupt the current being carried. 3. Plugging a power source into a "hot" outlet, conductor, or power strip is an invitation to disaster. If there's a power strip in use, it may not have the "hot" leads on the "right" side of the outlets - after all, they're made for use on home computers by shops that cut every corner they can - and /that/ means that a failure of the "hotplug" device could place a "dead short" across the power source. Men have been killed by such events. 4. No matter what you do, no matter what precautions you take, no matter how wiling you are to learn about electricity, the BEST you can hope for is that nothing happens. That's a setup for failure, and electrical failures caused by using unapproved equipement in non-standard ways are a lawyer's wet dream. FWIW. YMMV. I'll send flowers to your funeral. Bill -- Bill Horne 339-364-8487 ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
> On 1/3/2012 11:56 PM, Bill Bogstad wrote: >> I just heard about a company selling >> a product to maintain power on seized computers while you transport >> them: >> >> http://www.wiebetech.com/products/HotPlug.php >> >> It came up in the context of moving servers from one power jack to >> another one due to data center power changes. (Someone wanted to >> avoid downtime.) >> >> > > Anyone buying this device would do well to have paid-up life insurance: > the company is selling a UPS, but they're also selling "cheater" cords > that allow their UPS to power a "live" outlet with a double-male > connection cord, and that's flat-out dangerous. > I thinks this is a cool but scary device. I doubt it is as simple as a mere power plug. It seems to be able to act as a UPS when power loss is detected. It is dangerous as a UPS but scary as a way for "the man" to take your computer without powering it down. > Bill > > -- > Bill Horne > 339-364-8487 > > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Full disk encryption, why bother?
ma...@mohawksoft.com wrote: > I doubt it is as simple as a mere power plug. It seems to be able to > act as a UPS when power loss is detected. Presumably it would need UPS-like circuitry to synchronize the synthesized waveform to the AC power, and activate the output when loss of power was detected. I wouldn't be surprised if an off-the-shelf UPS could be applied this way. (With the aforementioned risks to your wellbeing.) > ...scary as a way for "the man" to > take your computer without powering it down. Actually pretty easily thwarted if you anticipate it. All you need is a few trip switches wired in series and to the reset line on the motherboard. Say one on any removable panels, one with a plunger protruding from the bottom the the case, and one to a mercury switch located somewhere deep in the interior of the computer. Really, the mercury switch is all you need, and it alone is less likely to be noticed and bypassed. (Though the switches on the panels might still be a good idea in case they attempt an on-the-spot memory dump. Although I suppose if you've got Firewire, that can be done without opening the case.) Of course if you live in earthquake country, be prepared for your server to reboot on every tremor. :-) -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/ ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss