|
|
|
|
|
|
| Author |
Message |
Moe Trin
*nix forums Guru
Joined: 20 Feb 2005
Posts: 972
|
 Posted: Tue Apr 25, 2006 7:53 pm Post subject:
Re: Disk over writing software
|
|
|
On Tue, 25 Apr 2006, in the Usenet newsgroup comp.os.linux.security, in article
<e2k912$4d9$02$3@news.t-online.com>, Ertugrul Soeylemez wrote:
| Quote: | That's why I prefer encrypting my hard-disk instead of being concerned
about proper disposition. Using a secure key, I could lose it or throw
it away without having concerns.
Luckily proper encryption cannot be distinguished from random noise. So
an attacker might even think that I've overwritten it that way, trying
to hide data stored on the disk previously. My current hard-disk has
never received a single bit of clear-text.
|
Not using a swap partition?
Old guy |
|
| Back to top |
|
 |
Loki Harfagr
*nix forums Guru
Joined: 25 Feb 2005
Posts: 782
|
| Posted: Sun Jun 18, 2006 4:50 pm Post subject:
Re: Disk over writing software
|
|
|
Le Tue, 25 Apr 2006 06:36:50 +0200, Ertugrul Soeylemez a écrit :
| Quote: | ibuprofin@painkiller.example.tld (Moe Trin) (06-04-22 17:26:37):
One thing people often forget is defective blocks on the media that
modern drives "auto-fix". What they do is copy the data that had been
on the block (if at all possible) to a "spare" block reserved for this
purpose. The substitution is transparent - done by the drive firmware,
and not under O/S control. This means that some blocks may still exist
with old data even after a thousand writes with random data. For
common users, the data is inaccessible, as you need the manufacturers
software to reset the bad and spare block table to access those blocks
(which may or may not still be usable). This may or may not be an
acceptable level of risk. This is the reason that NISPOM requires
physical destruction of media that contained "Top Secret" data.
That's why I prefer encrypting my hard-disk instead of being concerned
about proper disposition. Using a secure key, I could lose it or throw
it away without having concerns.
Luckily proper encryption cannot be distinguished from random noise. So
an attacker might even think that I've overwritten it that way, trying
to hide data stored on the disk previously. My current hard-disk has
never received a single bit of clear-text.
By the way, is there any way to query the number of such defective
blocks for IDE drives? I don't seem to find a suitable hdparm-option.
|
Just for the dubious case in 45 days you're still searching 
here's an addup to your last question.
For SMART drives you've got smart tools, as posted elsewhere.
For e2fs and family you'll find 'badblocks' tool in e2fsprogs.
PS:
As for the the encrypting of HDs, do not omit your to encrypt
your swap partition (or use an overall encrypt in RAM too). |
|
| Back to top |
|
|
Ertugrul Soeylemez
*nix forums Guru Wannabe
Joined: 28 Oct 2005
Posts: 126
|
| Posted: Mon Jun 19, 2006 3:27 am Post subject:
Re: Disk over writing software
|
|
|
Loki Harfagr <loki@DarkDesign.free.fr> (06-06-18 18:50:40):
| Quote: | As for the the encrypting of HDs, do not omit your to encrypt your
swap partition (or use an overall encrypt in RAM too).
|
Encrypting the whole hard-disk is going to be overkill for most
configurations. It's useless to encrypt */bin directories, but they
will cause a noticable speed impact when encrypted -- at least, if you
don't have much RAM or a slow CPU.
However, one should encrypt his home directory, or better yet, the
entire /home tree. Encrypted swap is an obligation in my opinion, and
modern distributions should provide an easy way to do all this
automatically on installation, if desired (using PAM for home directory
encryption or similar). Unfortunately I don't know of any distribution,
which does that.
I don't know exactly, what you mean by "overall encrypt in RAM", but if
you mean encrypting all RAM contents, this is either useless or
technically difficult. Remember that you have to save the key
somewhere, and you will save it in RAM. To keep this short: Using RAM
encryption is going to be more difficult than breaking it, thus it's
useless.
By the way, for current RAM chips, it is hard to read the RAM contents,
without having access to the operating system running, and/or without
disturbing its operation.
Regards,
E.S. |
|
| Back to top |
|
|
Loki Harfagr
*nix forums Guru
Joined: 25 Feb 2005
Posts: 782
|
| Posted: Mon Jun 19, 2006 11:10 pm Post subject:
Re: Disk over writing software
|
|
|
Le Mon, 19 Jun 2006 05:27:39 +0200, Ertugrul Soeylemez a écrit :
| Quote: | Loki Harfagr <loki@DarkDesign.free.fr> (06-06-18 18:50:40):
As for the the encrypting of HDs, do not omit your to encrypt your
swap partition (or use an overall encrypt in RAM too).
Encrypting the whole hard-disk is going to be overkill for most
configurations.
|
Right, but wasn't it reasonably on topic for this group to think
that this was not the question
Besides, you were the one to say :
"That's why I prefer encrypting my hard-disk instead of being concerned
about proper disposition."
to which I absolutely agree 
I was just reminding the occasional reader (obviously not you) a
small point about swap that would defeat all previous efforts if not controlled.
| Quote: | It's useless to encrypt */bin directories, but they
will cause a noticable speed impact when encrypted -- at least, if you
don't have much RAM or a slow CPU.
|
Agreed too.
| Quote: |
However, one should encrypt his home directory, or better yet, the
entire /home tree. Encrypted swap is an obligation in my opinion,
|
If swap is *supposed* to be used then *YES* do encrypt it.
Or don't use swap, *or* use an "overall encrypt in RAM" for data,
so even if some gets in the swap reposit at some time it'll just be
a part of the noise.
| Quote: | and
modern distributions should provide an easy way to do all this
automatically on installation, if desired (using PAM for home directory
encryption or similar). Unfortunately I don't know of any distribution,
which does that.
|
Er ... You seem concerned with securing a system and then
you install PAM on it !? That'd be quite as good by only rot13'ing
the filenames ;-)
| Quote: | I don't know exactly, what you mean by "overall encrypt in RAM", but if
you mean encrypting all RAM contents,
|
Right, I wasn't very clear! I just meant about using encrypted data
for data, the main hole in a system isn't the RAM (or if it'd be that'd
just mean you're already assaulted beyond help) but in the possibility of
some data written clear on some disk, use a RAM /tmp and encrypting pipes
then you may have proper data encryption for the parts that counts.
| Quote: | this is either useless or
technically difficult. Remember that you have to save the key
somewhere, and you will save it in RAM.
|
Not only, but I'll agree on that point too, at least there'll be
a moment when the keys would be in the RAM.
| Quote: | To keep this short: Using RAM
encryption is going to be more difficult than breaking it,
|
That's a part of the game ;-)
| Quote: | thus it's
useless.
|
Well, difficult or painful aren't necessarily synonyms of useless, but
I'll agree on that point too if you meant something like "users that use
heavy passwords" will end up to print them or forget them" ;D)
| Quote: | By the way, for current RAM chips, it is hard to read the RAM contents,
without having access to the operating system running, and/or without
disturbing its operation.
|
And on this you have my total reddition, sorry if my poor english
writing could make you feel I was criticizing your sayings.
Cheers. |
|
| Back to top |
|
|
Ertugrul Soeylemez
*nix forums Guru Wannabe
Joined: 28 Oct 2005
Posts: 126
|
| Posted: Tue Jun 20, 2006 10:18 pm Post subject:
Re: Disk over writing software
|
|
|
Loki Harfagr <loki@DarkDesign.free.fr> (06-06-20 01:10:23):
| Quote: | Encrypting the whole hard-disk is going to be overkill for most
configurations.
Right, but wasn't it reasonably on topic for this group to think that
this was not the question
Besides, you were the one to say :
"That's why I prefer encrypting my hard-disk instead of being
concerned about proper disposition."
|
I didn't talk about the _whole_ hard-disk. Some parts of /etc, my swap,
my /tmp and my /home are encrypted. I use Blowfish for swap (because
it's faster), and AES for the rest.
| Quote: | and modern distributions should provide an easy way to do all this
automatically on installation, if desired (using PAM for home
directory encryption or similar). Unfortunately I don't know of any
distribution, which does that.
Er ... You seem concerned with securing a system and then you
install PAM on it !? That'd be quite as good by only rot13'ing the
filenames
|
Sure. PAM provides the necessary modules to do things on login (like
mounting an encrypted partition). Combined with LUKS you could provide
the same partition to all users, without disclosing its key, and still
mounting it only on demand. However, I don't like LUKS, hence I don't
use it. I mount my partitions after boot. =)
| Quote: | I don't know exactly, what you mean by "overall encrypt in RAM", but
if you mean encrypting all RAM contents,
Right, I wasn't very clear! I just meant about using encrypted data
for data, the main hole in a system isn't the RAM (or if it'd be
that'd just mean you're already assaulted beyond help) but in the
possibility of some data written clear on some disk, use a RAM /tmp
and encrypting pipes then you may have proper data encryption for the
parts that counts.
|
Okay, that makes things clear. But then it's not a RAM issue.
| Quote: | this is either useless or technically difficult. Remember that you
have to save the key somewhere, and you will save it in RAM.
Not only, but I'll agree on that point too, at least there'll be a
moment when the keys would be in the RAM.
|
They need to be somewhere, otherwise you would be typing passphrases
every minute. A bit over-secured. =)
| Quote: | By the way, for current RAM chips, it is hard to read the RAM
contents, without having access to the operating system running,
and/or without disturbing its operation.
And on this you have my total reddition, sorry if my poor english
writing could make you feel I was criticizing your sayings.
|
Well, I guess you got me wrong. I didn't criticize either, I just added
that as a side-note. =)
Regards,
E.S. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Nov 22, 2008 11:49 am | All times are GMT
|
|
Mortgage Calculator | Property in Spain | Free Text Messages | Internet Advertising | Home Loan
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
