Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Feb 2008 23:48:41 +0100
From:      Uwe Doering <gemini@geminix.org>
To:        Achim Patzner <ap@bnc.net>
Cc:        freebsd-hackers@freebsd.org, "David E. Thiel" <lx@FreeBSD.org>
Subject:   Re: Security Flaw in Popular Disk Encryption Technologies
Message-ID:  <47C345C9.8010901@geminix.org>
In-Reply-To: <31648FC5-26B9-4359-ACC8-412504D3257B@bnc.net>
References:  <20080223010856.7244.qmail@smasher.org>	<20080223222733.GI12067@redundancy.redundancy.org> <31648FC5-26B9-4359-ACC8-412504D3257B@bnc.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Achim Patzner wrote:
>>> article below. does anyone know how this affects eli/geli?
>>
>> There's fairly little any disk crypto system can do to thoroughly defend
>> against this.
> 
> Hm. Strange. Serious hardware is very well suited to do that (usually
> by adding well defended crypto hardware). Keys don't have to be stored
> in unsafe places.

Since it hasn't been mentioned so far: There are hard disk drives that 
do encryption on the firmware level, so you don't have to store keys on 
the OS level.

While this doesn't solve the problem completely it at least makes 
getting at the key much more difficult.  You would have to somehow 
preserve and later get at the contents of the RAM inside the controller 
chip on the HDD PCB, and you probably can't risk throwing the entire HDD 
into liquid nitrogen because there is a good chance that it would be 
damaged afterwards.

Hitachi makes such drives, for instance (2.5" SATA models for 
notebooks).  There the HDD password doubles as encryption key, AFAIK. 
So if the data you carry around is really that sensitive I would suggest 
to consider that approach.

Regards,

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47C345C9.8010901>