The available data-at-rest encryption methods can be separated into two types by their layer of operation: If you are completely unfamiliar with this sort of operation, please also read the #How the encryption works section below. the logical part of the disk that holds the encrypted data) has been "unlocked" and mounted.įor this to happen, some "secret information" (usually in the form of a keyfile and/or passphrase) needs to be supplied by the user, from which the actual encryption key can be derived (and stored in the kernel keyring for the duration of the session). (Discuss in Talk:Data-at-rest encryption)Īll data-at-rest encryption methods operate in such a way that even though the disk actually holds encrypted data, the operating system and applications "see" it as the corresponding normal readable data as long as the cryptographic container (i.e. Reason: Ext4, ZFS and possible other filesystems offer (native) encryption. Another benefit of system data encryption is that it complicates the installation of malware like keyloggers or rootkits for someone with physical access. This however comes with the disadvantage that unlocking of the encrypted parts of the disk has to happen at boot time. The solution is to encrypt both system and user data, preventing unauthorized physical access to private data that may be cached by the system. /var (log files and databases and such for example, mlocate stores an index of all file names in /var/lib/mlocate/mlocate.db).(potential remedies: avoid such applications mount /tmp inside a ramdisk)./tmp (temporary files created by user applications).(potential remedies: disable swapping, or use encrypted swap as well).In modern computer systems, there are many background processes that may cache and store information about user data or parts of the data itself in non-encrypted areas of the hard drive, like: While encrypting only the user data itself (often located within the home directory, or on removable media like a data DVD), is the simplest and least intrusive method, it has some significant drawbacks. Regular backups are recommended to keep your data safe. Warning: Data-at-rest encryption also will not protect you against someone simply wiping your disk. The best remedy might be hardware-based full-disk encryption and Trusted Computing. And even then it cannot prevent all types of tampering (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system before you use it. Also see XKCD #538Ī very strong disk encryption setup (e.g. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |