On Thu, 19 Jul 2012 11:06:02 +0000, rtvd wrote:
> I do not know how good Truecrypt is, but on top of all this misery with
> LUKS and friends the only out-of-the-box solutions do not allow you to
> use anything but plain password as a way of authentication. So if you
> are among those who are truly concerned about security and prefers to
> use things like security tokens then you have to hack that bootloader
> yourself, hoping that if you get it right your patch won’t be wiped out
> by the next software update. This also means a lot of wasted time.
Truecrypt supports the use of key files as well.
Truecrypt, however, does not support full-disk encryption and booting
Linux - only Windows. From what I’ve read on the Truecrypt forums,
they’re not likely to add it because FDE doesn’t provide actual plausible
deniability.
I’ve been toying with the idea, though, of combining a bootable USB flash
drive with a full disk encryption setup - the idea being you should be
able to boot from a flash drive and (optionally) use a key file on the
flash drive (or a secondary flash drive, sdcard, or the like) for
authentication.
The thing that I haven’t worked out (logically) is updating the kernel.
Since the initrd is not on the system but would need to be on the flash
drive, So a kernel update would likely be more involved to make this work.
But the argument I’d make with the truecrypt folks as well is that FDE
isn’t always about plausible deniability, but it might be about fully
securing a portable device like a laptop. Yes, I can encrypt my home
directory/partition and that helps, but it doesn’t help protect installed
programs, configurations, etc, and that may cause other compromises. For
example, a VPN config stored in /etc/NetworkManager wouldn’t be protected
if the home partition is the only thing encrypted.
I use FDE on an external USB drive not because I need plausible
deniability, but because I have sensitive data that, should the drive
crash, I need to be sure is unrecoverable. I had an enclosure with 2
500GB drives and one crashed hard - and I had no easy way to guarantee
the data was unreadable using forensic tools - and for peace of mind, I
wanted to be sure that they weren’t readable since I had things like old
tax returns backed up there.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C