| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <22334.1108563638@www36.gmx.net> From: ledeve at gmx.net (Lentila de Vultur) Subject: harddisk encryption my comments to your comments: > 1. If the encryptor encrypts your boot disk, it has to be involved early > in the > boot process and may be broken by anything that changes the system boot > sequence. > On the whole such a product would likely need two different drivers, one > of which > would change BIOS behavior, and the other of which would change runtime > OS behavior, and they must be in synch with one another. > > This is fine until you decide to change operating systems, at which > point the boot > may change and make your old data suddenly disappear. Things on the other > hand are > easier if the encrypting disk product only encrypts data devices > (including virtual > disks) since only one driver need be used. in this case you can unencrypt the drive, do the neccessary changes, and re-encrypt it. con: it's time-consuming. > 2. In the event of disk crash or emergency, unless a tool is provided to > allow you > to access the encrypted disk from somewhere else, anything which causes an > OS to > become non bootable may be unfixable. You would not normally want such a > tool online, > but when you need it, you REALLY need it. such tools are provided (at least for utimaco and securstar). and they are small enough to fit on a floppy. of course you need to provide proper credentials to decrypt anything. the possibility to save the encryption keys and user authetication data is also provided. > 4. An interesting question to ask of such a package is whether the data in > any > disk block is a cipher depending only on a fixed key and the original > data. If so, > and the same key is used for every block, there are attacks which can be > used > to compromise such a system without having to decrypt it all. If on the > other hand > something else is an input, you need to know what else is used and how it > is > used and how key scheduling is done, to make any estimate of how strong > the > cipher really is. can you please detail on this? or point me to some documentation. > The Ultimaco literature suggests that many users may have different > passwords to > access a computer disk protected by its package. If I were buying it in > bulk I > would certainly want to know more about how the key management is done to > allow > this. i've asked them. but no answer as yet. thanks. > -----Original Message----- > From: full-disclosure-bounces@...ts.netsys.com > [mailto:full-disclosure-bounces@...ts.netsys.com]On Behalf Of Lentila de > Vultur > Sent: Tuesday, February 15, 2005 10:05 AM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] harddisk encryption > > > hi, > > sorry for my late answer and for breaking the thread. below you can find > the > original post: > > <> > i'm evaluating a software that performs harddisk encryption for deploying > in > my company. the software in question is utimaco safeguard easy v4.10 > (www.utimaco.com) running on w2k. > > i am interested in communitty's oppinion about this product. has anyone > performed a detailed analysis of it? i googled around but i couldn't find > much information, except that the version 3.20 sr1 has earned an eal3 > certification from the german federal agency for it security. > </> > > > thank you for all your answers and suggestions on and off the list. > > what i like at safeguard easy are the possibility to encrypt full > harddisks, > not only files or partitions, and the boot authentication. Frank Knobbe > suggested encryption plus hard disk from pc guardian - I asked for an > evaluation copy. google suggested also drive crypt plus pack - > www.securstar.com. > > imho, the main disadvantage of pgpdisk and alike compared with > full-encryption tools is that valuable data can remain unencrypted in the > swap file or in temporary files outside the container. When using full > harddisk encryption tools no extra user interaction is required, > everything > is done transparently. there is no need for user training. > > > -- > this e-mail is certified content-free. > > Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS > GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > ********************************************************************** > This transmission may contain information that is privileged, confidential > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in > error, please immediately contact the sender and destroy the material in its > entirety, whether in electronic or hard copy format. Thank you > ********************************************************************** > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- this e-mail is certified content-free. DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
Powered by blists - more mailing lists