Date: Mon, 25 Feb 2008 23:48:41 +0100 From: Uwe Doering <gemini@geminix.org> To: Achim Patzner <ap@bnc.net> Cc: freebsd-hackers@freebsd.org, "David E. Thiel" <lx@FreeBSD.org> Subject: Re: Security Flaw in Popular Disk Encryption Technologies Message-ID: <47C345C9.8010901@geminix.org> In-Reply-To: <31648FC5-26B9-4359-ACC8-412504D3257B@bnc.net> References: <20080223010856.7244.qmail@smasher.org> <20080223222733.GI12067@redundancy.redundancy.org> <31648FC5-26B9-4359-ACC8-412504D3257B@bnc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Achim Patzner wrote: >>> article below. does anyone know how this affects eli/geli? >> >> There's fairly little any disk crypto system can do to thoroughly defend >> against this. > > Hm. Strange. Serious hardware is very well suited to do that (usually > by adding well defended crypto hardware). Keys don't have to be stored > in unsafe places. Since it hasn't been mentioned so far: There are hard disk drives that do encryption on the firmware level, so you don't have to store keys on the OS level. While this doesn't solve the problem completely it at least makes getting at the key much more difficult. You would have to somehow preserve and later get at the contents of the RAM inside the controller chip on the HDD PCB, and you probably can't risk throwing the entire HDD into liquid nitrogen because there is a good chance that it would be damaged afterwards. Hitachi makes such drives, for instance (2.5" SATA models for notebooks). There the HDD password doubles as encryption key, AFAIK. So if the data you carry around is really that sensitive I would suggest to consider that approach. Regards, Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47C345C9.8010901>