From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <chris@colorremedies.com>
Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com
 [IPv6:2a00:1450:4864:20::441])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon, 16 Dec 2019 19:24:50 +0100 (CET)
Received: by mail-wr1-x441.google.com with SMTP id q10so8483700wrm.11
 for <dm-crypt@saout.de>; Mon, 16 Dec 2019 10:24:50 -0800 (PST)
MIME-Version: 1.0
References: <CAJCQCtSUtmf1wOs=ecch-EioqT5isLOyyw5aZhJ3RXjRL3mLBg@mail.gmail.com>
 <2b1f731d-0713-fadf-f895-b62b00363a95@gmail.com>
 <qt1odg$5hpb$1@blaine.gmane.org> <20191214144236.GA12121@tansi.org>
 <CAJCQCtQ4YWh0+4vbHPKF9kL=g0_0G7xpZsY7xnSJffTn_HPWsg@mail.gmail.com>
 <Kuf0HqfNDFs36S39f45WW2TuxKIdYzTr0QkObdzLaUYeY2s58O5BPCwXLBK43xVi1E7pXvVZ3zD12KLVkAU7V3a03Gu6-eIo4PtVts8rDA4=@protonmail.ch>
 <CAJCQCtSC20ocCM50KbOcFO7LwBv-EQyJH1HSySqMc3Q=51sMEw@mail.gmail.com>
 <HR1_2D_XSeTc2zLOBn4VxqML7PgGozaJjxIccFuR78H_4BgIuRmtWKaoFIXFtFA3C2iDyLJtvF4v4qHfsgwMFQr6exAbigHfv1JKnyTd4VA=@protonmail.ch>
In-Reply-To: <HR1_2D_XSeTc2zLOBn4VxqML7PgGozaJjxIccFuR78H_4BgIuRmtWKaoFIXFtFA3C2iDyLJtvF4v4qHfsgwMFQr6exAbigHfv1JKnyTd4VA=@protonmail.ch>
From: Chris Murphy <lists@colorremedies.com>
Date: Mon, 16 Dec 2019 11:24:33 -0700
Message-ID: <CAJCQCtRu0hn34JGN+MvRoDXg3ri9aUi9Y+gD6kuSKYvj=nxV-Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [dm-crypt] LUKS2 support for null/plaintext target
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Jordan Glover <Golden_Miller83@protonmail.ch>
Cc: Chris Murphy <lists@colorremedies.com>, "dm-crypt@saout.de" <dm-crypt@saout.de>

On Mon, Dec 16, 2019 at 10:08 AM Jordan Glover
<Golden_Miller83@protonmail.ch> wrote:
>
> On Sunday, December 15, 2019 8:49 PM, Chris Murphy <lists@colorremedies.com> wrote:
>
> > On Sun, Dec 15, 2019 at 10:51 AM Jordan Glover
> > Golden_Miller83@protonmail.ch wrote:
> >
> > > I think encrypting previously unencrypted data on the same disk
> > > doesn't guarantee that old data won't be recoverable especially
> > > on ssd/nvme which are ubiquitous today. Officially supporting
> > > such case on LUKS will give users false sense of security of
> > > their data.
> >
> > This problem exists even in the backup and restore to LUKS encrypted
> > volume case. In fact it's less reliable because there's no assurance
> > with backup->restore method that all previously occupied LBAs are
> >
> > overwritten, whereas an inplace conversion can assure that all LBAs in
> > the previous range are read and encrypted. It's a matter of
> > implementation, there's the potential for false sense of security
> > regardless.
> >
> > Chris Murphy
>
> AFAIK simply overwriting data isn't reliable method for cleaning ssd/nvme.
> For those either ATA SECURE ERASE[1] or blkdiscard[2] should be used.
>
> Unless I'm mistaken, inplace conversion does neither while user can run
> them manually during backup/restore.

Without testing, which would be make/model/firmware specific, it's not
certain what really happens on flash memory chips themselves. ATA
Secure Erase is probably the better recommendation but as both
ultimately depend on drive firmware to fulfill the operation, it's
really a big *shrug* and therefore I reject the idea that there is a
clear line in the sand. It should be true and probably is true that
Secure Erase Enhanced or Sanitize are better than blkdiscard. But if
it's uncertain, on what basis is a line drawn?  Upstreams can state
the facts including the unknowns, and help user and distros draw their
own line.

But consider that as a direct consequence of the burden to
backup->luksFormat>restore, quite a lot of users opt out of encryption
entirely. The point of in-place conversion isn't perfect security.
It's to get more users to opt in, by reducing the penalty of opting
in.

False sense of security? We have this problem already with cryptsetup
--allow-discards leaking fs specific locality in combination with
fstrim. And fscrypt() leaks quite a lot of metadata. And the ATA spec
allows reserve and overprovision areas to not be erased with Secure
Erase, where either Secure Erase Enhanced and Sanitize should cover
those areas.

In place conversion can be better supported in more sophisticated
environments. Linux installers are already overly complicated and soak
limited resources maintaining them  Opting into encryption right now
essentially requires either installer support or the burden of backup
restore. That's not great choices. And what installers provide an ATA
Secure Erase or Sanitize option? I don't know of any.

Conversely, Windows and macOS use comparatively brain dead installers
(very simplistic UI, perhaps a few choices at most, pretty much
amounting to point at a target and push a button). Easy to install.
Easy to make the encryption decision later without the penalty of
backup restore. Perfectly secure encryption? I don't know. But the
barrier to entry is low.

It is a very different problem where to find the resources to build
in-place conversion. But I think it's unwittingly asking more users to
forgo encryption at all to argue against it on the basis that it's
somehow a significant security risk. How many hours, days or weeks of
typical usage do you think takes before all cells have either been
erased or overwritten by encrypted data? There is interim exposure,
that some use case will care about, but some won't. And that might be
more useful in assessing a personal line in the sand than
categorically saying in-place conversion gives a false sense of
security.


-- 
Chris Murphy