From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <chris@colorremedies.com>
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com
 [IPv6:2a00:1450:4864:20::432])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon, 16 Dec 2019 21:46:58 +0100 (CET)
Received: by mail-wr1-x432.google.com with SMTP id q6so8907660wro.9
 for <dm-crypt@saout.de>; Mon, 16 Dec 2019 12:46:57 -0800 (PST)
MIME-Version: 1.0
References: <CAJCQCtSUtmf1wOs=ecch-EioqT5isLOyyw5aZhJ3RXjRL3mLBg@mail.gmail.com>
 <2b1f731d-0713-fadf-f895-b62b00363a95@gmail.com>
 <qt1odg$5hpb$1@blaine.gmane.org> <20191214144236.GA12121@tansi.org>
 <CAJCQCtQ4YWh0+4vbHPKF9kL=g0_0G7xpZsY7xnSJffTn_HPWsg@mail.gmail.com>
 <Kuf0HqfNDFs36S39f45WW2TuxKIdYzTr0QkObdzLaUYeY2s58O5BPCwXLBK43xVi1E7pXvVZ3zD12KLVkAU7V3a03Gu6-eIo4PtVts8rDA4=@protonmail.ch>
 <CAJCQCtSC20ocCM50KbOcFO7LwBv-EQyJH1HSySqMc3Q=51sMEw@mail.gmail.com>
 <HR1_2D_XSeTc2zLOBn4VxqML7PgGozaJjxIccFuR78H_4BgIuRmtWKaoFIXFtFA3C2iDyLJtvF4v4qHfsgwMFQr6exAbigHfv1JKnyTd4VA=@protonmail.ch>
 <CAJCQCtRu0hn34JGN+MvRoDXg3ri9aUi9Y+gD6kuSKYvj=nxV-Q@mail.gmail.com>
 <20191216184935.GA17227@tansi.org>
In-Reply-To: <20191216184935.GA17227@tansi.org>
From: Chris Murphy <lists@colorremedies.com>
Date: Mon, 16 Dec 2019 13:46:40 -0700
Message-ID: <CAJCQCtSL3CSDt_-Tqu2GQpM4mjbMnc=RMHxVFuiQH=g4m8pHxg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [dm-crypt] LUKS2 support for null/plaintext target
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Mon, Dec 16, 2019 at 11:52 AM Arno Wagner <arno@wagner.name> wrote:
>
> On Mon, Dec 16, 2019 at 19:24:33 CET, Chris Murphy wrote:
> [...]
> > But consider that as a direct consequence of the burden to
> > backup->luksFormat>restore, quite a lot of users opt out of encryption
> > entirely. The point of in-place conversion isn't perfect security.
> > It's to get more users to opt in, by reducing the penalty of opting
> > in.
>
> But why would you _want_ users to "opt in"? It seems like entirely
> the wrong thing to do to me. First consider that the users
> you are talking about do not have backups. Hence their data must
> be basically worthless anyways!

First, this is a distraction and not relevant. It conflats
confidentiality with integrity/availability of the data. That the data
should be private/remain confidential is not related to it's long term
value.

Second, blkdiscard and fstrim can merely flag cells for erasure, or
merely dereference LBAs. No assurance the cells are actually erased or
when they will be erased. It's the same as the firmware passively
determining cells can be marked for erasure upon LBA overwrite of an
in-place conversion.

Is it your position that only Security Erase, Security Erase Enhanced,
or Sanitize avoid giving the user a false sense of security? In which
case, now the procedure requires a complete wipe of the drive. And
that means a fully offline process to conduct the restore until it is
complete during which time the system is not usable. And it's extra
burdensome for dual boot users, who must do two full reinstallations
and restores of those two operating systems.

>Second, their data is so little
> in need of protection that something as simple and as a backup
> already makes them do without encryption. Hence their data must
> actually not be sensitive in any way!

I reject the premise entirely. And it ignores users who have done a
backup, who still have a significantly greater burden put on them
through esoteric processes necessary to do encryption after the fact,
and a monolithic restore from backup which prevents them from working
until the restore is complete. That is not the case with in-place
conversion - the system is completely transparently usable the entire
time including reboots and shutdowns.

> Given these two things, why on earth do you want these people
> to use encryption?

I think these are weak arguments, in addition to wholesale ignoring
users who do backup who still have an unreasonable burden put on them
by existing choices: install time encryption or post-install partition
ninja and offline restore.

The vastly stronger argument is: this is really hard to do and we
don't want to do it.

Papering over that with unpersuasive security concerns, and making
assumptions about whether users backup or not, doesn't progress the
conversation.

> Security comes at a price. That price has to be paid.
> No price - no security. There is _no_ way to fix this and trying
> to do so only does damage to the user by making things too complex
> for them to handle.

The backup restore proposal is too complex, it's why users don't opt
in now. It's why alternatives are being explored by downstreams.

The argument that the user is at greater risk with an in-place
conversion than backup restore, neither depending on prior Secure
Erase or Sanitize but only depending on trim/discard, is not
persuasive. Such preparation is not built-in for any distro installer
with which I'm familiar, not even as an option let alone by default.
Secure Erase is esoteric knowledge. I would be surprised if 1 in 1000
users has heard of it.


-- 
Chris Murphy