Author Topic: Full Disk Encryption? (Read 234 times)

Dongle · « **on:** July 24, 2010, 12:03:41 PM »

I was reading that there are tools that can encrypt the entire harddrive so that a passkey must be entered upon booting the computer before the OS even loads. Because of the speed of modern computers, the on-the-fly decryption provides little to no performance hit.

Anyone know more about this?

Vesp · « **Reply #1 on:** July 24, 2010, 07:16:40 PM »

I have heard about it - I think a lot of linux and BSD variants have this option and it is fairly simple - It would suck to forget your password though!

zajcek01 · « **Reply #2 on:** July 25, 2010, 11:07:30 AM »

I have my home dir on a separate disk, and encrypted on ubuntu linux.
I also have my swap partition encrypted and temporary maps also.
There is no significant performance loss except when dealing with large files. (example: when downloading a DVD with torrent, and the application is allocating it's space, encrypting the data at the same time. Application freezes for something like 30-60 seconds)

A good solution is also disk encryption some laptops provide. It can be enabled from bios.
Maybe a combination of the two (software, hardware) would be safer, using 2 separate passwords.
Some laptops still haven't been cracked.

Also a good idea is to have passwords as long as possible and with uppercase, lowercase letters, signs, numbers.....

Never use dictionary words, birthday dates, names...

for example:
windows login passwords with just 8 signs (random lowercase letters and some numbers) can be decrypted within 5 minutes using special software from boot cd.

drone1240 · « **Reply #3 on:** July 26, 2010, 05:56:24 PM »

Dongle were are gonna learn this together. I took some advice from Marakov and started running Tor off a firefox platform with HTTPS from .EFF. I encrytped a 500 gig HD and have been learning about free BSD open BSD and unbuntu. I am not sure what OS I am going to implement but I have a small question. Can I run my OS from the same volume my files are on or do I need to set up a seperate volume and mount them both when I want to surf and look at files?

zajcek01 · « **Reply #4 on:** July 26, 2010, 10:33:49 PM »

The same volume can be used. (OS can run from encrypted drive, but performance is hindered).
In such case, password must be provided during boot.

Only separate files/folders/volumes can be encrypted instad.

There are a lot of easy step by step guides on how to do this on the internet.

lugh · « **Reply #5 on:** July 28, 2010, 12:24:48 AM »

True Crypt is the open source answer to full disk encryption, and there are forums describing the problems that people have had with it:

h**p://forums.truecrypt.org/

Dongle · « **Reply #6 on:** July 30, 2010, 01:44:57 AM »

Drone, I encrypted a laptop with Truecrypt. It can be set to boot to a fake boot error. You have to blind-type the passkey to get it to boot - no performance hit that I see. Actually it feels so transparent it doesn't "feel" secure.

TooCold · « **Reply #7 on:** August 09, 2010, 09:19:31 PM »

It is best to encrypt your really sensitive stuff in a separate encrypted volume which Truecrypt which you can dismount immediately after use. This should be done in addition to full drive encryption. You can keep firefox, Thunderbird, and GPG software in this encrypted volume too. By using a separate encrypted volume it protects one from "evil maid" attacks and any attack known or unknown which can bypass truecrypts bootloader.

Douchermann · « **Reply #8 on:** August 10, 2010, 11:41:46 PM »

Don't forget hot swappable harddrives. It's not encryption, but if the drive with sensitive data were to be hidden really well, you've got a real good chance. Not to mention, you could pull it and find an effective means to destroy it once "they" come knockin. Magnets don't work, keep a hammer close by. If you can dent or crack the disk, you're safe.

hypnos · « **Reply #9 on:** September 05, 2010, 01:49:07 AM »

Quote

Magnets don't work, keep a hammer close by. If you can dent or crack the disk, you're safe

LOL

yeah right!!! i agree "separate/swapable" is good .....hey what about JohnDoFox as a good option...check it out....works well......as far as a 'trace' is concerned,, it says i'm about 2000kms from where I am...

xxx · « **Reply #10 on:** October 17, 2010, 05:18:13 PM »

SSD drive, Truecrypt the whole thing, 7 bit pass wipes, and a microwave. Store it in a modified microwave.

A SSD drive is effectively FRIED if it gets microwaved, because all the lil chips ignite and melt and all that jazz, totally FUBAR-izing the data.

Oh and if you wipe the drive properly with a slackspace wipe and 7 bit pass, it CANNOT be data-recovered because there is NO magnetic images or anything.

akcom · « **Reply #11 on:** October 18, 2010, 12:25:22 AM »

thermite is your best option. they can still recover significant amounts of data from a drive that has bee dented/chipped/hammer

Vesp · « **Reply #12 on:** October 18, 2010, 12:26:39 AM »

I'm sure either microwave or thermite are pretty close to equal - I would prefer microwave - but thermite works even without electricity.

xxx · « **Reply #13 on:** October 20, 2010, 12:13:23 PM »

Why not both... Set up one of those 'SHTF disk wiping utilities' to wipe the drive if anything goes wrong/your box is messed with, and an anti-handling unit set to activate both the microwave and an incendiary casing on the SSD drive.

I aint good enough at python to code a 'disk scrubber' and there are plenty out there, but I sure as hell can design the 'destruction unit'

I mean, a 3 bit pass will effectively destroy the SSD anyways, but 7 bit pass with randomized bits followed by microwaving and slagging-with-incendiary is DEFINATELY the way to go for the uber paranoid. That way even a cold-boot attack against the box's RAM is rendered ineffective...

And for the record, truecrypt has a 'hidden partition within partition' thingy that allows plausable deniability - you hand them the 'layer 1' passkey and they cannot prove ANY layer two even exists. And allegedly the feebs still have not broken Truecrypt. Using it in conjunction with PGP full disk encryption and the schemes I outline above would definately render any fedorales high tech crap obsolete...

Dongle · « **Reply #14 on:** October 24, 2010, 05:24:59 AM »

I wouldn't worry about data recollection at this point. My corporate experience at one of the premier data forensics depts of a software company has reveled that the proximity of platters along with the reduced tolerance for writing on platters has rendered this area of forensics ever harder. Just encrypt your drive to a reasonable extent and its as good as a brick.

Truecrypt's plausible deniability is a great option, although you must be sure that what you are giving up in the "supposedly secret" partitition you create is enough for them not to thnk that it was, itself a front for a far "darker" partitition full of more goodies. Make sure there is some twisted shit, like tranny sex, long clits on bodybuilders, etc. Stuff that isn't illegal but that "should" embarrass the hell out of you. If you don't look phased they'll know that they haven't hit the payload yet.

embezzler · « **Reply #15 on:** October 25, 2010, 05:29:54 PM »

Quote

twisted shit, like tranny sex, long clits on bodybuilders

In the UK that kind of shit is borderline illegal now, and definately S and M is illegal. So make sure you dont hang yourself. Obscene porn act and what have you

EU1920xy · « **Reply #16 on:** February 03, 2012, 01:37:33 PM »

DiskCryptor is also an good alternative to TrueCrypt. But no encryption eliminates the need for backups, most are lazy to make them. You change opinion when you loose all data.

redneck2 · « **Reply #17 on:** February 22, 2012, 10:04:38 PM »

Where I work we are going to use WinMagic. Don't know anything about it yet.

hermeswayfinder · « **Reply #18 on:** April 18, 2012, 08:21:38 PM »

For any mac users with lion, FileVault is automatically installed on the computer. FileVault will encrypt your entire disk or just the bits and pieces of it you want encrypted I believe. Just when it asks if you want mac to store a back-up of your password give them the middle finger and say HELL NO!

Author Topic: Full Disk Encryption? (Read 234 times)

Dongle

Full Disk Encryption?

Vesp

Re: Full Disk Encryption?

zajcek01

Re: Full Disk Encryption?

drone1240

Re: Full Disk Encryption?

zajcek01

Re: Full Disk Encryption?

lugh

Re: Full Disk Encryption?

Dongle

Re: Full Disk Encryption?

TooCold

Re: Full Disk Encryption?

Douchermann

Re: Full Disk Encryption?

hypnos

Re: Full Disk Encryption?

xxx

Re: Full Disk Encryption?

akcom

Re: Full Disk Encryption?

Vesp

Re: Full Disk Encryption?

xxx

Re: Full Disk Encryption?

Dongle

Re: Full Disk Encryption?

embezzler

Re: Full Disk Encryption?

EU1920xy

Re: Full Disk Encryption?

redneck2

Re: Full Disk Encryption?

hermeswayfinder

Re: Full Disk Encryption?