It's sad we need encryption mostly for protection from not criminals, but our own government for even trivial data.<p>What freaks me out most these days is how easily people fall into the belief that "oh well traveling is not a right so you have to give up rights when you fly or drive anywhere".<p>No, if you are a citizen of the United States and unless you are actually crossing a border, you should have the unqualified protection against unreasonable searches, especially without warrants.<p>I also don't accept the "well it's worse in other countries, be happy you are not there" argument. This country is not even 250 years old. The laws we made are pretty fundamental and not old at all. It's not some kind of game where they should be allowed to dance around the edges to break them.
I'm not an expert on security, but I do know a bit about human nature. I'd suggest a 2-level encryption scheme. Perhaps FDE and a BIOS password as level 1, and then a futher encrypted area of your HD as level 2.<p>Why? Because this allows you to appear to be cooperating with any request to look at your computer. Simply type in the level 1 stuff and demonstrate the system booting up. I bet 9 times out of 10 whoever is checking you over will stop right there: it looks a lot like compliance. If they keep pushing for total access to your data simply say "no" Whereas if you say "no" to begin with, you're likely to attract more attention than if it appears you have nothing to hide. In many cases people are working jobs where they only have so much time to check things -- unless there appears to a be a person with a problem, in which case they can take all day with you. So help them out. Give them something to ask you for that you can produce. Then everybody can move along and it's not a problem for anybody.
If you go full disk encryption with TrueCrypt, make sure you look into their Hidden OS feature as well. A judge may be able to order you to give up the decryption key to the OS when accessing the drive prompts for one (last I checked the precedent is still somewhat shaky), because while they can't know what's being encrypted they can infer something readable is. They can't prove the existence of a Hidden OS, though, so your 'real' encrypted area is just noise and can't be legally proved anything else so a second key can't be demanded.
The feds and other serious folks are pretty careful these days not to turn off anything until they've had forensics evaluate the situation. And not just because of FDE, memory analysis very frequently yields the best evidence due to it's timely and overlooked nature. Since most encryption systems retain their keys during lock and sleep, unless you usually leave your system powered off I wouldn't count on being afforded much privacy if you're interesting enough to bother.<p>That said I still use it on both of mine and definitely suggest it, it's a very small performance penalty for what will be a godsend if your laptop turns up lost or stolen.<p><a href="https://code.google.com/p/cryptsetup/" rel="nofollow">https://code.google.com/p/cryptsetup/</a>
It's an excellent precaution against the much more mundane and common threats like loss or theft though
<i>Microsoft BitLocker in its most secure mode is the gold standard because it protects against more attack modes than other software. Unfortunately, Microsoft has only made it available with certain versions of Microsoft Windows.</i><p>Though MS says that BitLocker doesn't have back doors [1], I wonder how true this actually is...<p>[1] <a href="http://blogs.msdn.com/b/si_team/archive/2006/03/02/542590.aspx" rel="nofollow">http://blogs.msdn.com/b/si_team/archive/2006/03/02/542590.as...</a>
On OSX with Lion - there is no excuse<p><a href="http://osxdaily.com/2011/08/10/filevault-2-benchmarks-disk-encryption-faster-mac-os-x-lion/" rel="nofollow">http://osxdaily.com/2011/08/10/filevault-2-benchmarks-disk-e...</a>
I am not convinced by one of the quiz answers:<p>> <i>Our calculations confirm that a relatively short series of truly randomly chosen English dictionary words is secure; many people find these somewhat more memorable. Above we used "In the jungle! The mighty Jungle, the lion sleeps tonight!" The important thing is to choose enough words and to choose them in a random un-guessable way, such as by changing the spacing, punctuation, spelling, or capitalization.</i><p>The problem with this example is that the 10 words are not chosen independently. Type "in the j" into a google search box and the whole phrase will appear in the drop-down box. So the entropy for the choice of that phrase is about lg2(37^8) or about 42 bits.<p>So an approximation of the total entropy is:<p>Choice of source phrase = lg2(37^8) ~= 41.7 bits<p>Choose one of the 10 suggestions from the drop-down box = lg2(10) ~= 3.3 bits<p>Permutation of words = lg2(10! / 2! / 3!) ~= 18.2 bits<p>Spacing (assume each word may independently be precedeed by a space with probability 0.5)
=10 bits<p>Punctuation (each word may be independently followed by '!') = 10 bits<p>Capitalization: independently choose one of {lowercase, camelcase, uppercase) for each word = lg2(3^10) ~= 15.8 bits<p>Total so far: 98 bits.<p>Now consider the third option: a mixture of 16 independently-chosen letters, numbers and symbols. Assume most ASCII characters are available (lets eliminate single quote, backslash and $ which cause problems for some web apps) and we have<p>lg2(92^16) ~= 104.4 bits, which wins.
Unfortunately, full-disk encryption absolutely kills SSD performance because it makes the data look random (i.e. incompressible). It will wear out the SSD much faster than using it without would, because the hardware compression unit in the controller can sometimes achieve 8:1, and therefore have to rewrite only 1/8th of the NAND cells that it otherwise would.
Enlightening (and scary) stuff.<p>Encryption is great but won't save you if they ask for your password (honestly, I'd prefer to give them the password and circumvent using online storage.)<p>With that in mind - what advice would all you security buffs have on the best way to back up your hard drive to an online disk? Specifically using a basic hosting account as opposed to SAAS or cloud service?
I wonder if there would be significant environmental implications if everyone switched to full disk encryption...<p>Does this impose a significant processor load and does that translate to greater power consumption?
What about on my mobile? I am not aware (as I havent looked) of any encryption available to the data on my iPhone, or MyTouch 4G.<p>Further, I use Gmail - I have zero expectation of privacy from google.<p>I also store all my important docs for work and personal on DropBox.<p>What will I gain from encrypting my laptop? aside from it being stolen/lost - I dont see any added security/benefit from doing this.<p>I am not trying to be obtuse - but can one explain to me why I would want to do this, other than expressing my tech savvy?
One thing that worries me is how difficult it makes it if you get some data corruption. For example, I had a hardrive that had full disk encryption start to fail, and found pulling the data off much more difficult because I had to decrypt the whole lvm to get any access. I'm actually not confident how exactly corruption maps from cyphertext to plaintext in various modern crypto systems. I would guess that you would get out gibberish though.
I got myself an SSD for Christmas and that is why I moved off full disk encryption on home computer and instead encrypt almost everything except the system. However I've turned off the page file and I'm trying to set up pre boot authentication for non system volumes.<p>On another note, I plan to slowly switch to Ubuntu and I wonder how secure the home folder encryption is?
It's nice that computers are now powerful enough that full disk encryption is almost performance-neutral. But realistically, if they want your data then they can get it.
Spear phishing works very well and if not, there's always indefinite detention.<p>Technology is only a small part of the solution to warrantless border searches.
I'm concerned about privacy too but none of the worrisome areas would be improved by FDE. Facebook/Google, tracking, keyloggers etc is where the main problem lies.
Can anyone comment on the speed/performance of TrueCrypt, EncFS, and similar on older systems, e.g. a 5 - 7 year old laptop? I'm considering carrying a "sacrificial" machine in case it is, um, "indefinitely detained", but I'm uncertain what kind of a performance hit full disk (or partition -- though I'm inclined to encrypt the entire disk) encryption will incur. (I currently have Core Duo and P4 candidates for the job.)
My system triple boots into OS X, Windows and Ubuntu. I have a home partition, formatted in HFS+.<p>What would be the best strategy for me to use? Should I just encrypt the home volume using something cross-platform like TrueCrypt, or is it practical (an maintainable) to do full-disk encryption in such an environment?<p>My home partition has very sensitive data and I've been putting off creating a TrueCrypt container for this data.
I just use two RAIDed NAS boxes, one as a long term, large file media/data store and another for small files on SSD RAID. All my comps are now dumb terminals, booting an OS and software. Works well and was surprisingly cheap for what is essentially a complete, hassle free system.
I did this over a year ago and am very happy. I use TrueCrypt. I have not noticed any slow downs (even for gaming)... That said, you should probably not do this if your drives are failing (or you tend to suffer a lot of disk failures).
None of my current computers is powerful enough for that without it being a serious hassle. And I'm pretty sure it will drain my laptop battery much faster...
So how do you encrypt a home server? Any device that has to be bootable without human intervention will have to store the encryption keys on the device somewhere making the encryption merely obfuscation.<p>It is possible for "swap" RAM to be encrypted on Linux and it could generate a random per boot key, also being a form of obfuscation. <a href="https://lkml.org/lkml/2011/12/28/69" rel="nofollow">https://lkml.org/lkml/2011/12/28/69</a>
Unfortunately, the amount of time I spend running/breaking the development version of Ubuntu prohibits <i>full</i> disk encryption, but I do have /home encrypted. Is that "good enough"?