Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'ve come to find Full Disk Encryption to be a rather unsafe method of securing

ID: 655870 • Letter: I

Question

I've come to find Full Disk Encryption to be a rather unsafe method of securing data as standardized tools are becoming available to just read out the encryption key from RAM, where the system needs it to be to make use of the system partition.

The more secure approach I suggest is to have a separate data partition with user data with a separate encryption used as a cold storage and only mounted when files on it is used.

Preferably, the system partition should be secured as well. My best idea for doing this is scripting a time delayed purging of keys from RAM, or shutdown, if the script has not received a timer reset. The timer reset could be anything, like a successful logon within 24 hours for a laptop. I'm guessing that one would normally logon to a personal laptop within 24 hours, but if lost in any way, it will not be in the hands of experts that read out RAM within that time.

Let me know what you think of this?

Explanation / Answer

Rather unsafe is a little exaggerated. It's secure enough for the vast majority of people trying to protect their data from offline attackers.

If you are worried about a malware reading the encryption keys, you are worried about the wrong threat. A malware should be running with root privileges to read the content of the master keys on the memory, but a malware with root privileges would have access to all data anyway.

If you want to protect against someone stealing your machine while you are away, just configure your screen lock to unmount all LUKS partitions during the lock. You can even install blueproximity to automatically lock the machine when your bluetooth-enabled smartphone gets away.

If some agent with the knowledge and resources to be able to use a cold boot attack is targeting you, you will have to think on more than LUKS to protect yourself.

It's easier to get you to fall for a spear-phishing scheme than to use a cold boot attack. If someone is targeting you, and knows how to employ a cold boot attack, they know how to employ a host of targeted attacks before having to resort to a cold boot. Hole-watering, spear phishing, DNS redirection, even phony traffic tickets and USB-drive gifts can be used for tricking you.

A cold boot would require the attacker to get physically close, and at least steal your computer and disassemble it. But if the attacker can get close enough to take your machine, he can take you too, and easily getting your keys employing Rubber-hose cryptanalysis.

Related Questions

I\'ve been working at this assignment but I keep getting stuck. I could really u
Question #3622063
I\'ve been working at this problem and cannot seem to figure it out. I appreciat
Question #631830
I\'ve been working at this problem and cannot seem to figure it out. I appreciat
Question #773717
I\'ve been working by myself on a fairly large open source project for quite a w
Question #660558
I\'ve been working for a consulting firm for some time, with clients of various
Question #651924
I\'ve been working in ASP.net for over three years now. The project I\'m working
Question #649956
I\'ve been working on a .NET personal project for a little while now and it\'s a
Question #659541
I\'ve been working on a ASP.NET Web Api 2 project as a learning exercise, and I
Question #644474
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'ve come across this quote attributed to Misner, Thorne & Wheeler from their b
Next
I\'ve come up with a light weight bit wise encryption algorithm and seems good.

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.