Questions tagged [disk-encryption]
Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device (e.g., a hard disk).
620 questions
0
votes
2
answers
175
views
How do embedded systems protect encryption keys when no user authentication is possible at startup?
Embedded and IoT systems power on autonomously, without user input (unlike PCs or phones requiring a PIN/password). If the manufacturer wants to encrypt the flash storage:
Must the decryption key be ...
- 537
2
votes
1
answer
168
views
Why does BitLocker keep the Volume Master Key (VMK) in plaintext RAM instead of inside a TEE?
I have two related questions about BitLocker’s key handling:
1)
After the system boots and BitLocker unlocks the drive, TPM releases the Volume Master Key (VMK) and from now on it is resident in ...
- 537
1
vote
2
answers
178
views
Does a signed TPM2 PCR policy verify the EFI code similarly to secure boot?
For context, my question relates to the use of the systemd-cryptenroll and the related TPM enrollment options where one set of options "configures a TPM2 signed PCR policy to bind encryption to.&...
- 109
4
votes
3
answers
565
views
Erasing then encrypting external HDD using Disk Utility on Mac
Does erasing and then encrypting a previously unencrypted HDD secure all data previously written to it?
- 41
0
votes
1
answer
225
views
How does flash encryption actually work
I have been reading about NVS flash partitions for use in embedded systems and that the NVS key-value data can be encrypted by using a symmetric key. This symmetric key is then stored in a separate ...
- 309
12
votes
3
answers
4k
views
Why shred before LUKS disk encryption?
I read the following article and it says to "Stuff random data to the device" (using shred) before encrypting with LUKS.
How to enable LUKS disk encryption with keyfile on Linux
Why would ...
- 121
1
vote
0
answers
162
views
Is it necessary to encrypt an eMMC that's soldered to the board?
Say you have a machine where the disk (eMMC) is non-removable like the Surface Go. If the UEFI configuration is protected with a long password, USB + network boot is disabled, and your user has a long ...
- 131
2
votes
3
answers
1k
views
Clarifying BitLocker Full Disk Encryption and the role of TPM
Question 1:
Can you confirm that in a full disk encryption setup like BitLocker, when we normally boot the system, use the password, and log in, the key to decrypt the disk is loaded into RAM?
If so, ...
- 537
10
votes
3
answers
3k
views
Prepare Bitlocker protected PC for disposal
We want to dispose of an old notebook whose display frame is damaged. It's a Windows device with a BitLocker (TPM+PIN) encrypted SSD.
I am trying to devise a strategy for protecting the data on the ...
- 3,950
9
votes
4
answers
5k
views
Is BitLocker susceptible to any known attacks other than bruteforcing when used with a very strong passphrase and no TPM?
I have learned about attacks where the BitLocker master key can be sniffed on its way from the CPU to the TPM using a logic analyzer. However, in computer configurations without TPMs, this is ...
- 1,362
1
vote
1
answer
144
views
In Linux, what encryption implementation approach is optimal given specific use & threat models?
Given the following use & threat models, what is the optimal encryption implementation? Optimal is defined as the approach best matching the use model.
Use Model
Computer must be optimized for ...
- 3,204
2
votes
1
answer
252
views
Are there any motherboards / UEFI that support hardware encryption on SED?
I found that Thinkpads have hdd password support, which in terms uses some bizarre password hashing and ends up with 90 bits of entropy, which is again used as ATA security password to SED, which in ...
- 103
0
votes
1
answer
320
views
How does iOS / Android device encryption work?
As far as I'm aware, a locked iOS is considered very safe. No one, who does not know the PIN cannot unlock the phone. While the PIN seems weak on the first glance (4 digits?) it is actually strong, ...
- 6,851
0
votes
1
answer
160
views
SSH-Agent writing unencrypted keys to swap memory
I have recently set up a computer with full disk encryption, and I decided not to encrypt the swap partition for performance reasons. I have been using ssh-agent on another computer to load my private ...
- 1
0
votes
0
answers
465
views
How does a pattern or a PIN secure an Android device with encryption?
Modern Android devices have encryption for the storage. It is secured with a key which is derived from the lock screen and a hardware bound key.
We know that the rate limiting mechanism prevents brute ...
- 147
0
votes
0
answers
98
views
Protect the content of External Disk/USB Storage
Due to certain circumstances, we are forced to keep some copyrighted data in an external hard disk. due to privacy concerns, we want to allow this data to be accessed only from a trusted/office ...
- 1
1
vote
2
answers
242
views
Isolating encrypted and unecnrypted Windows installations and protecting the boot loader
I want to use my PC both for gaming and for stuff like keeping cryptocurrency wallets, online banking, etc. I need to install games as admin but of course I don't want them to be able to access my ...
- 111
0
votes
0
answers
120
views
If I hibernate my Linux distro (which has an encrypted partition) and store it in a unencrypted swap partition, can an attacker access all my data?
Is it possible? How? Should I encrypt my swap partition? If I don't encrypt it, basically I make encryption in the main partition useless.
- 137
2
votes
2
answers
286
views
Full disk-encryption key vs password
I need to set up full disk encryption on my linux laptop.
Questions:
Does an encryption key on a USB pendrive protect against rubber-hose cryptanalysis?
Is it true that the key on a pendrive is ...
- 131
2
votes
0
answers
1k
views
Do I retain plausible deniability if using "quick format" in veracrypt on new SSD?
I bought a new 2 TB SSD (NVMe). I want to turn it entirely into a veracrypt volume, nearly all of the drive being for a hidden volume. First, I told it to do a "quick format", which was done ...
- 121
3
votes
2
answers
3k
views
LUKS: How many iterations are enough?
The luksFormat command accepts iteration time as a parameter, not iterations. That obviously leads to quite different number of iterations depending on the hardware doing the encryption. However if ...
- 445
0
votes
0
answers
172
views
Choosing Encryption Strategies for Secure Long-Term Storage of Sensitive Data
When considering external drives for secure long-term storage of sensitive data, what are the pros and cons of using the same password for encrypting all files versus using random passwords for each ...
- 173
1
vote
1
answer
394
views
What are the risks of reusing the same passphrase for FDE, user account, and password manager?
Consider a home user who runs Linux on a laptop with full-disk encryption and uses a cloud-based password manager. Assume the laptop is firewall-protected with no SSH access. It seems reasonable to ...
- 123
0
votes
0
answers
244
views
Advice on encryption setup
I've been trying to get a reliable, and decently secure setup on a device for a little while now, and I feel like I may be overthinking some things but I am unsure.
Just to clear things up, this is ...
- 173
0
votes
1
answer
300
views
Does faulTPM defeat the LUKS-based FDE with a passphrase?
The recent faulTPM paper (https://arxiv.org/pdf/2304.14717v1.pdf) deals mostly with Bitlocker and only mentions LUKS to note the differences.
The authors state:
With a passphrase, however, the same ...
- 259
1
vote
2
answers
760
views
Full disk encryption with LUKS?
I encrypted my Ubuntu Desktop 20.04.3 with LVM/LUKS during the installation process. If I turn off the computer, is the brute force the only attack available for getting the password and accessing the ...
- 11
1
vote
1
answer
355
views
How to protect files in use on a system powered on from physical theft or tampering?
I'm in the process of figuring out an encryption strategy for a personal Linux system.
My laptop is almost always on, or in sleep mode, except for longer travels.
My main threats are theft of my ...
- 11
1
vote
1
answer
229
views
AEAD: Authenticating a digest of my data instead the data itself
Relevant question for Python:
Stack Exchange: https://stackoverflow.com/questions/75739308/aead-authentication-with-huge-input-that-doesnt-fit-into-ram
Top Answers: https://topanswers.xyz/python?q=...
- 121
1
vote
2
answers
4k
views
Full disk encryption: Legacy boot mode (MBR) vs. EFI boot mode
FDE tools like VeraCrypt will encrypt the whole system drive when the machine uses legacy boot mode (MBR). But they will only encrypt the system partition if the machine uses EFI boot mode (the EFI ...
- 1,743
1
vote
3
answers
843
views
Understanding FDE: Is the encrypted Linux protected against a compromised boot volume?
I use this initramfs-based FDE on my headless server. My motivation is to secure my system against physical tampering.
I am aware that securing an untrusted hardware is not possible. This question is ...
- 113
15
votes
2
answers
8k
views
Erased encrypted HDD, then secure erased 10% of it before selling it - is it safe?
I have a 4TB mechanical hard drive that was encrypted before I ever wrote any file on it. I used a 25 character password with symbols.
Before I sold it, I unmounted the disk while it was still ...
- 321
1
vote
3
answers
488
views
Are there ways to detect plain dm-crypt encryption and what are the countermeasures against them?
Encryption with plain dm-crypt is often positioned as encryption that cannot be recognized. But is it really so? Are there ways to prove that the data is encrypted with plain dm-crypt? How to bypass ...
- 11
1
vote
1
answer
346
views
How to make a virtual machine forensics-proof - completely or to the maximum possible level?
I want to make a VMWare (VMWare is first preference but any alternative can be used as well) virtual machine completely digital forensics-proof. I am protecting against someone getting physical access ...
- 139
0
votes
0
answers
257
views
Self-encrypting drive - eDrive vs ATA Security
Let's for a moment forget about the possible drawbacks of SEDs themselves. One of the upsides of SEDs is that the encryption key never leaves the drive but wouldn't using eDrive negate this advantage ...
1
vote
1
answer
541
views
Is it sufficient to put /var, /tmp/, and /home on their own encrypted partitions?
I want to encrypt my system, but I don't want the hassle of having to put in two passwords on boot; I just want to put in one password on login that would decrypt the other partitions. I have heard ...
- 173
0
votes
1
answer
3k
views
NAS newbie: how to ensure that network storage is encrypted at rest (and ideally in transit and in use) for Windows, Linux, Mac
I'm looking to buy an ~8TB NAS* for my home office (I guess it's called a "private cloud").
I want to connect to it from Windows, Linux, Mac, Android, and iOS.
How can I ensure that the ...
- 335
1
vote
0
answers
673
views
Suspicious SSD corruption exactly at LUKS encryption header
I am helping with an interesting data recovery issue. The laptop was running Debian 11 Linux with LUKS full disk encryption on a Samsung 970 Evo Plus 2TB SSD for quite many months. Suddenly the LUKS ...
- 11
0
votes
0
answers
44
views
Is it possible to hack encrypted external HDD,if you have access to it? [duplicate]
If I lose my external HDD and somebody finds it and tries to hack, will he succeed?Is it possible to get data from encrypted disk by disassembling it and working with platters?
HDD is APFS AES 256 ...
2
votes
1
answer
1k
views
Is it safe to store data on APFS 256 AES encrypted external HDD disk?
I'm using a MacBook and want to store confidential data (financial documents, passwords, private photos, etc.) on an external HDD disk.
How safe is setting up APFS AES 256 encryption with disk ...
0
votes
1
answer
171
views
Does an SSD store software-encrypted data in unencrypted form somewhere?
I use LUKS encryption on my entire drive. Do SSD drives ship with any storage areas which store unencrypted data, even though the data is saved encrypted on user-available SSD storage?
Maybe inside ...
- 43
1
vote
0
answers
314
views
How hard is it to modify UEFI nvram if the device is off and the UEFI is locked?
This assumes that:
Machine is powered off
No UEFI backdoors
No Reflashing the firmware
No clearing the NVRAM (The point is to modify/read a small amount of NVRAM, instead of resetting it)
Device ...
0
votes
1
answer
2k
views
NVMe Self Encrypting Drive - How to use ATA Security?
I own a Samsung 980 Pro which, according to its own specification, supports Class 0, TCG/Opal 2.0 and IEEE16667. Since it's an NVMe drive, I cannot use hdparm in order to set up class 0 encryption but ...
0
votes
0
answers
270
views
SED specification for USB sticks?
As I got from my preliminary research, there is an established standard TCG Opal 2.0 which defines in specification the principles of SED encryption thus enabling the interoperability between vendors.
...
- 337
1
vote
0
answers
42
views
Full disk encryption and data recovery capabilities [duplicate]
So I had linux mint with fde, had sensitive files on it, shut down my pc, and reinstalled a new linux mint OS with fde. What are the chances of data recovery from the first OS?
- 11
1
vote
1
answer
145
views
Flashdrive data confidentiality when disconnecting flashdrive from machine abruptly
Assuming I boot up a fully encrypted OS from a portable flash drive and do some tasks in this running OS; then abruptly disconnect this flash drive from my computer and a malicious actor gets their ...
- 13
2
votes
1
answer
705
views
Military-grade encryption on Blu-ray discs?
Another thread addresses the question of what can count as "military-grade encryption." In this case, I see that CyberLink Power2Go software boasts "advanced military-grade 256-bit ...
- 123
1
vote
2
answers
2k
views
How does bitlocker work when unlocking a removable drive on another PC using a password?
Here's the scenario:
I have an external harddrive encrypted with bitlocker. I disconnect that drive from the PC that encrypted it, and connect it to a different PC.
Surprisingly, when I do this, all ...
- 135
0
votes
3
answers
2k
views
How difficult is it to decrypt a disk encrypted with luksOpen?
I have encrypted a disk on my Ubuntu machine using
sudo cryptsetup luksOpen /dev/sdb1 sdb1
I'm wondering how difficult is it to decrypt this disk using bruteforce password guessing?
What does the ...
- 373
0
votes
1
answer
105
views
Saving signed file on an encrypted drive using symmetric encryption
When using asymmetric encryption, signing and encryption are the same, but opposite, operations.
Say I have my drive encrypted with asymmetric encryption.
If I save a signed file to that drive, using ...
- 5
0
votes
1
answer
1k
views
Using Yubico YubiKey 5 NFC for local data encryption
I'm interested in buying a Yubikey but want to know if you can use a Yubikey to generate a symmetric key for file encryption on selected files on a PC. Or if you need some sort of extension like HMAC-...
- 3