* [dm-crypt] LUKS2 support for null/plaintext target @ 2019-12-06 23:10 Chris Murphy 2019-12-07 9:39 ` Michael Kjörling 2019-12-13 14:59 ` Milan Broz 0 siblings, 2 replies; 21+ messages in thread From: Chris Murphy @ 2019-12-06 23:10 UTC (permalink / raw) To: dm-crypt Hi, I'm wondering if it's possible, or LUKS2 could be extended, to support an non-encrypted target. That is, the virtual device and backing device would contain the same information. The use case is to make it possible for software installers to make future encryption possible for a volume without need to repartition/reformat. Thanks, -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-06 23:10 [dm-crypt] LUKS2 support for null/plaintext target Chris Murphy @ 2019-12-07 9:39 ` Michael Kjörling 2019-12-08 16:59 ` Chris Murphy 2019-12-13 14:59 ` Milan Broz 1 sibling, 1 reply; 21+ messages in thread From: Michael Kjörling @ 2019-12-07 9:39 UTC (permalink / raw) To: dm-crypt On 6 Dec 2019 16:10 -0700, from lists@colorremedies.com (Chris Murphy): > The use case is to make it possible for software installers to make > future encryption possible for a volume without need to > repartition/reformat. Wouldn't a normal LUKS container with an empty passphrase meet that use case just as well? With an empty passphrase (and possibly a low iteration count; I don't know if that would matter or not in the specific case of an empty passphrase, and it certainly wouldn't matter _in practice_), you're _effectively_ not gaining any protection from the encryption. To gain protection would involve setting a passphrase, deleting the empty-passphrase key slot, and reencrypting the volume with a new master key (which would also invalidate any potentially-leaked header copies). In other words, about the same as in your proposed scenario. Especially if the empty-passphrase keyslot is in a well-known location, that whole process could easily be automated. The only real difference would seem to me to be that with actual encryption, you're paying the performance penalty for the encryption even though you aren't gaining any security benefit from doing the encryption (and decryption), which would be less of case with a null cipher. But if you're on a system today where that matters to any significant degree, it seems unlikely you'll want to add encryption later, so that appears to me to be somewhat of a draw. -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-07 9:39 ` Michael Kjörling @ 2019-12-08 16:59 ` Chris Murphy 0 siblings, 0 replies; 21+ messages in thread From: Chris Murphy @ 2019-12-08 16:59 UTC (permalink / raw) To: dm-crypt On Sat, Dec 7, 2019 at 2:42 AM Michael Kjörling <michael@kjorling.se> wrote: > > On 6 Dec 2019 16:10 -0700, from lists@colorremedies.com (Chris Murphy): > > The use case is to make it possible for software installers to make > > future encryption possible for a volume without need to > > repartition/reformat. > > Wouldn't a normal LUKS container with an empty passphrase meet that > use case just as well? Maybe? The main idea is to enable a distro/OS installer to avoid interactivity and UI for setting up encrypted volumes, but make it possible to setup and enabled post-install. I haven't tried it, but does 'cryptsetup luksFormat' permit an empty passphrase? And if it's empty, would 'cryptsetup luksOpen' open it without a passphrase or keyfile? -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-06 23:10 [dm-crypt] LUKS2 support for null/plaintext target Chris Murphy 2019-12-07 9:39 ` Michael Kjörling @ 2019-12-13 14:59 ` Milan Broz 2019-12-13 18:54 ` Chris Murphy 2019-12-14 4:28 ` Robert Nichols 1 sibling, 2 replies; 21+ messages in thread From: Milan Broz @ 2019-12-13 14:59 UTC (permalink / raw) To: Chris Murphy, dm-crypt Hi, On 07/12/2019 00:10, Chris Murphy wrote: > I'm wondering if it's possible, or LUKS2 could be extended, to support > an non-encrypted target. That is, the virtual device and backing > device would contain the same information. (You are not the first one asking for support for this option.) In fact, the support is already there. But I am reluctant to officially support it for a very long time, because it would be super confusing for users (We have LUKS, but actually no encryption?!) So, the first method: you can always use cipher_null (and you must use empty passphrase in this case). That variant should work already and it is intended for debugging/measuring dm-crypt layer overhead (dm-crypt is used, but with the null cipher). The second variant is to directly use dm-linear target instead of dm-crypt, and it is already used during online (re)encryption in one phase - when adding encryption to not yet encrypted device. You cannot format such a device initially this way. It is not so complicated to add support for this to format operation, but ... I am still not sure. Any comments? Milan ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-13 14:59 ` Milan Broz @ 2019-12-13 18:54 ` Chris Murphy 2019-12-13 21:41 ` Arno Wagner 2019-12-14 4:28 ` Robert Nichols 1 sibling, 1 reply; 21+ messages in thread From: Chris Murphy @ 2019-12-13 18:54 UTC (permalink / raw) To: Milan Broz; +Cc: Chris Murphy, dm-crypt On Fri, Dec 13, 2019 at 7:59 AM Milan Broz <gmazyland@gmail.com> wrote: > > Hi, > > On 07/12/2019 00:10, Chris Murphy wrote: > > I'm wondering if it's possible, or LUKS2 could be extended, to support > > an non-encrypted target. That is, the virtual device and backing > > device would contain the same information. > > (You are not the first one asking for support for this option.) > > In fact, the support is already there. But I am reluctant to officially > support it for a very long time, because it would be super confusing > for users (We have LUKS, but actually no encryption?!) I agree there is potential for confusion. And it might be out of scope for LUKS. When I do: # blkid I see a partition is TYPE="crypto_LUKS" and that's a fairly difficult statement of fact to overcome with a "yeah but it really isn't crypto, you should have run this other command that would tell you that". There is a valid argument that the crypto_LUKS signature should be trusted to mean the contents are in fact ciphertext,, and not pseudo-ciphertext trivially unlocked. > So, the first method: > you can always use cipher_null (and you must use empty passphrase in this case). > That variant should work already and it is intended for debugging/measuring dm-crypt > layer overhead (dm-crypt is used, but with the null cipher). > > The second variant is to directly use dm-linear target instead of dm-crypt, > and it is already used during online (re)encryption in one phase - when adding > encryption to not yet encrypted device. > You cannot format such a device initially this way. > > It is not so complicated to add support for this to format operation, > but ... I am still not sure. Any comments? In some sense the feature request is trying to make LUKS deal with two difficulties: 1. producing a standard everyone can agree on, because if LUKS doesn't do it, would anyone else follow it? 2. adding the necessary free space in front of the partition to be encrypted, the area that would be used for the LUKS header and padding The gotcha with 2. without LUKS taking on this role, is how ugly it ends up looking depending on what partition scheme is being used: a. GPT only: create an empty partition ~16MB, immediately before the intended plaintext partition that will be later converted (encrypted). Maybe it gets a unique magic, or a new partition type GUID, that describe it as "empty but intended for future LUKS-based encryption of the partition that follows" b. LVM LV? No idea. c. MBR? Similar to GPT? d. Files used on loop? Always use GPT, and follow the GPT guideline above. -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-13 18:54 ` Chris Murphy @ 2019-12-13 21:41 ` Arno Wagner 0 siblings, 0 replies; 21+ messages in thread From: Arno Wagner @ 2019-12-13 21:41 UTC (permalink / raw) To: dm-crypt On Fri, Dec 13, 2019 at 19:54:48 CET, Chris Murphy wrote: > On Fri, Dec 13, 2019 at 7:59 AM Milan Broz <gmazyland@gmail.com> wrote: > > > > Hi, > > > > On 07/12/2019 00:10, Chris Murphy wrote: > > > I'm wondering if it's possible, or LUKS2 could be extended, to support > > > an non-encrypted target. That is, the virtual device and backing > > > device would contain the same information. > > > > (You are not the first one asking for support for this option.) > > > > In fact, the support is already there. But I am reluctant to officially > > support it for a very long time, because it would be super confusing > > for users (We have LUKS, but actually no encryption?!) > > I agree there is potential for confusion. And it might be out of scope for LUKS. > > When I do: > # blkid > > I see a partition is TYPE="crypto_LUKS" and that's a fairly difficult > statement of fact to overcome with a "yeah but it really isn't crypto, > you should have run this other command that would tell you that". > > There is a valid argument that the crypto_LUKS signature should be > trusted to mean the contents are in fact ciphertext,, and not > pseudo-ciphertext trivially unlocked. Very much so. Security is hard enough if KISS is used everywhere. When KISS is violated, things become impossible to understand and manage. Most successful engineering these days is not only smart people doing things, it is smart people with a lot of experience following KISS and hence actually understanding what they are doing. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-13 14:59 ` Milan Broz 2019-12-13 18:54 ` Chris Murphy @ 2019-12-14 4:28 ` Robert Nichols 2019-12-14 14:42 ` Arno Wagner 1 sibling, 1 reply; 21+ messages in thread From: Robert Nichols @ 2019-12-14 4:28 UTC (permalink / raw) To: dm-crypt On 12/13/19 8:59 AM, Milan Broz wrote: > Hi, > > On 07/12/2019 00:10, Chris Murphy wrote: >> I'm wondering if it's possible, or LUKS2 could be extended, to support >> an non-encrypted target. That is, the virtual device and backing >> device would contain the same information. > > (You are not the first one asking for support for this option.) > > In fact, the support is already there. But I am reluctant to officially > support it for a very long time, because it would be super confusing > for users (We have LUKS, but actually no encryption?!) How about using real encryption but use /dev/null as the key-file? (Just a thought.) -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-14 4:28 ` Robert Nichols @ 2019-12-14 14:42 ` Arno Wagner 2019-12-14 21:18 ` Chris Murphy 0 siblings, 1 reply; 21+ messages in thread From: Arno Wagner @ 2019-12-14 14:42 UTC (permalink / raw) To: dm-crypt On Sat, Dec 14, 2019 at 05:28:31 CET, Robert Nichols wrote: > On 12/13/19 8:59 AM, Milan Broz wrote: > >Hi, > > > >On 07/12/2019 00:10, Chris Murphy wrote: > >>I'm wondering if it's possible, or LUKS2 could be extended, to support > >>an non-encrypted target. That is, the virtual device and backing > >>device would contain the same information. > > > >(You are not the first one asking for support for this option.) > > > >In fact, the support is already there. But I am reluctant to officially > >support it for a very long time, because it would be super confusing > >for users (We have LUKS, but actually no encryption?!) > > How about using real encryption but use /dev/null as the key-file? > (Just a thought.) I can see some nice failure modes with that, e.g. with accidentally empty key files. I am also not sure what the use-case of the whole thing is besides benchmarking and debugging as Milan said. If you want to put evertyhing in place, but do not encrypt (yet) so you can just encrypt data in place later, this may be the wrong approach. I reccomend (and I think that is in the FAQ) to do a backup, wipe the data and make a LUKS container and then to restore that backup. Doing this without backup is dangerous anyways. I think this may not have a good solution and we should default to "secure" here. There are far too many security issues today that come from people having selected "convenient" instead. Having some way to do this that is not too convenient or obvious is fine. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-14 14:42 ` Arno Wagner @ 2019-12-14 21:18 ` Chris Murphy 2019-12-15 17:51 ` Jordan Glover 0 siblings, 1 reply; 21+ messages in thread From: Chris Murphy @ 2019-12-14 21:18 UTC (permalink / raw) To: dm-crypt On Sat, Dec 14, 2019 at 7:45 AM Arno Wagner <arno@wagner.name> wrote: > > On Sat, Dec 14, 2019 at 05:28:31 CET, Robert Nichols wrote: > > On 12/13/19 8:59 AM, Milan Broz wrote: > > >Hi, > > > > > >On 07/12/2019 00:10, Chris Murphy wrote: > > >>I'm wondering if it's possible, or LUKS2 could be extended, to support > > >>an non-encrypted target. That is, the virtual device and backing > > >>device would contain the same information. > > > > > >(You are not the first one asking for support for this option.) > > > > > >In fact, the support is already there. But I am reluctant to officially > > >support it for a very long time, because it would be super confusing > > >for users (We have LUKS, but actually no encryption?!) > > > > How about using real encryption but use /dev/null as the key-file? > > (Just a thought.) > > I can see some nice failure modes with that, e.g. with accidentally > empty key files. > > I am also not sure what the use-case of the whole thing is > besides benchmarking and debugging as Milan said. > > If you want to put evertyhing in place, but do not encrypt (yet) > so you can just encrypt data in place later, this may be the wrong > approach. I reccomend (and I think that is in the FAQ) to do a > backup, wipe the data and make a LUKS container and then to restore > that backup. Doing this without backup is dangerous anyways. > > I think this may not have a good solution and we should default to > "secure" here. There are far too many security issues today that > come from people having selected "convenient" instead. Having some > way to do this that is not too convenient or obvious is fine. I don't know how it works with APFS (Apple File System) today, but up until a couple years ago when Apple was still using JHFS+ and Core Storage (their logical volume manager, with nearly the same terminology as LVM), they had a live migration between unencrypted (default installations) and encrypted. The user could even shutdown and reboot during the conversion. Based on observation, not any detailed analysis, the original state out of the box has no encryption, and no Core Storage. It's a plain GPT partition, using an HFS+ type code, and an ordinary journaled HFS+ volume. Upon enabling encryption, I surmise based on the before, during, and after states on disk, that the HFS+ volume is slightly shrunk (perhaps ~100MB, I'm guessing based on years of memory recall here so take it with a grain of salt), and a bunch of Core Storage metadata is written in that space, the original partition is changed into a Core Storage partition in the GPT, while also presumably becoming a PV (physical volume). And the conversion is maybe something like a pvmove --atomic where the unencrypted extents are encrypted and written elsewhere, while continuously expanding the encrypted PV and shrinking the encrypted one. From a user perspective, they're informed the encryption conversion status is progressing with some time estimate to completion. The before state on disk is clearly not encrypted, and the conversion state is both in the GUI and CLI commands, also clearly stated to be in a state of conversion and also it indicates which direction the conversion is happening: encrypting or decrypting, since it's possible to completely reverse this. Also, while they have all the same PV, VG, LV terms, they also have an LF (logical family) layer which is functionally inserting a LUKS layer as an attribute to an LV. i.e. encryption is an integrated function of Core Storage. So that's as a point of comparison what I think people are after is that kind of use case, where LUKS2 already offers a live re-encryption, but not an easy way to opt into it if it's not already encrypted. You'd have to do a monolithic, offline, backup, setup encryption, and restore. It's a bit tedious and requires some expertise to do that, rather than the experts inventing a thing so users can just push a button. The more regular users are left out of this, I think the better, not merely for their convenience, but so that they aren't f'g things up. A huge amount of data loss is user induced. I'm certainly on board the argument of keeping things simple as it pertains to the LUKS2 format, and not conflate either plaintext/pseudo-ciphertext with a volume that has metadata suggesting very clearly it's ciphertext. But I'm likewise not on board with the idea of avoiding user convenience, because that is when they make mistakes. And if it's left to people only a little more sophisticated than I am to invent something, that's when security mistakes get made, somehow having left some unencrypted residue behind or otherwise leaked some information. The impetus behind an Apple or Microsoft doing things this way, of course they don't want users having to do a monolithic backup and restore offline to get to an encrypted state. Users would sooner do without it. And they don't want to recommend a reinstallation of the OS to get there either for the same reason. Whereas on most Linux distros this question is asked at install time. But that's often not when the user has thought about whether or not that applies to their use case, and opts for no encryption, and later realizing that their chance is lost with a high burden to encrypt, they forego it. And now some distributions either default to encryption enabled, or are discussing it, with various degrees of consequences (the keyboard layout problems, and whether the LUKS passphrase really is properly considered user domain at all). -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-14 21:18 ` Chris Murphy @ 2019-12-15 17:51 ` Jordan Glover 2019-12-15 19:12 ` Arno Wagner 2019-12-15 20:49 ` Chris Murphy 0 siblings, 2 replies; 21+ messages in thread From: Jordan Glover @ 2019-12-15 17:51 UTC (permalink / raw) To: Chris Murphy; +Cc: dm-crypt I think encrypting previously unencrypted data on the same disk doesn't guarantee that old data won't be recoverable especially on ssd/nvme which are ubiquitous today. Officially supporting such case on LUKS will give users false sense of security of their data. Jordan ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-15 17:51 ` Jordan Glover @ 2019-12-15 19:12 ` Arno Wagner 2019-12-15 20:49 ` Chris Murphy 1 sibling, 0 replies; 21+ messages in thread From: Arno Wagner @ 2019-12-15 19:12 UTC (permalink / raw) To: Jordan Glover; +Cc: Chris Murphy, dm-crypt Good point. See also FAQ Item 5.19. While a false sense of security is great for marketing, I agree that we should avoid it. Regards, Arno On Sun, Dec 15, 2019 at 18:51:00 CET, Jordan Glover wrote: > I think encrypting previously unencrypted data on the same disk > doesn't guarantee that old data won't be recoverable especially > on ssd/nvme which are ubiquitous today. Officially supporting > such case on LUKS will give users false sense of security of > their data. > > Jordan > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-15 17:51 ` Jordan Glover 2019-12-15 19:12 ` Arno Wagner @ 2019-12-15 20:49 ` Chris Murphy 2019-12-16 17:08 ` Jordan Glover 1 sibling, 1 reply; 21+ messages in thread From: Chris Murphy @ 2019-12-15 20:49 UTC (permalink / raw) To: Jordan Glover; +Cc: Chris Murphy, dm-crypt On Sun, Dec 15, 2019 at 10:51 AM Jordan Glover <Golden_Miller83@protonmail.ch> wrote: > > I think encrypting previously unencrypted data on the same disk > doesn't guarantee that old data won't be recoverable especially > on ssd/nvme which are ubiquitous today. Officially supporting > such case on LUKS will give users false sense of security of > their data. This problem exists even in the backup and restore to LUKS encrypted volume case. In fact it's less reliable because there's no assurance with backup->restore method that all previously occupied LBAs are overwritten, whereas an inplace conversion can assure that all LBAs in the previous range are read and encrypted. It's a matter of implementation, there's the potential for false sense of security regardless. -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-15 20:49 ` Chris Murphy @ 2019-12-16 17:08 ` Jordan Glover 2019-12-16 18:24 ` Chris Murphy 0 siblings, 1 reply; 21+ messages in thread From: Jordan Glover @ 2019-12-16 17:08 UTC (permalink / raw) To: Chris Murphy; +Cc: dm-crypt On Sunday, December 15, 2019 8:49 PM, Chris Murphy <lists@colorremedies.com> wrote: > On Sun, Dec 15, 2019 at 10:51 AM Jordan Glover > Golden_Miller83@protonmail.ch wrote: > > > I think encrypting previously unencrypted data on the same disk > > doesn't guarantee that old data won't be recoverable especially > > on ssd/nvme which are ubiquitous today. Officially supporting > > such case on LUKS will give users false sense of security of > > their data. > > This problem exists even in the backup and restore to LUKS encrypted > volume case. In fact it's less reliable because there's no assurance > with backup->restore method that all previously occupied LBAs are > > overwritten, whereas an inplace conversion can assure that all LBAs in > the previous range are read and encrypted. It's a matter of > implementation, there's the potential for false sense of security > regardless. > > Chris Murphy AFAIK simply overwriting data isn't reliable method for cleaning ssd/nvme. For those either ATA SECURE ERASE[1] or blkdiscard[2] should be used. Unless I'm mistaken, inplace conversion does neither while user can run them manually during backup/restore. [1] https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase [2] http://man7.org/linux/man-pages/man8/blkdiscard.8.html Jordan ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 17:08 ` Jordan Glover @ 2019-12-16 18:24 ` Chris Murphy 2019-12-16 18:49 ` Arno Wagner ` (2 more replies) 0 siblings, 3 replies; 21+ messages in thread From: Chris Murphy @ 2019-12-16 18:24 UTC (permalink / raw) To: Jordan Glover; +Cc: Chris Murphy, dm-crypt On Mon, Dec 16, 2019 at 10:08 AM Jordan Glover <Golden_Miller83@protonmail.ch> wrote: > > On Sunday, December 15, 2019 8:49 PM, Chris Murphy <lists@colorremedies.com> wrote: > > > On Sun, Dec 15, 2019 at 10:51 AM Jordan Glover > > Golden_Miller83@protonmail.ch wrote: > > > > > I think encrypting previously unencrypted data on the same disk > > > doesn't guarantee that old data won't be recoverable especially > > > on ssd/nvme which are ubiquitous today. Officially supporting > > > such case on LUKS will give users false sense of security of > > > their data. > > > > This problem exists even in the backup and restore to LUKS encrypted > > volume case. In fact it's less reliable because there's no assurance > > with backup->restore method that all previously occupied LBAs are > > > > overwritten, whereas an inplace conversion can assure that all LBAs in > > the previous range are read and encrypted. It's a matter of > > implementation, there's the potential for false sense of security > > regardless. > > > > Chris Murphy > > AFAIK simply overwriting data isn't reliable method for cleaning ssd/nvme. > For those either ATA SECURE ERASE[1] or blkdiscard[2] should be used. > > Unless I'm mistaken, inplace conversion does neither while user can run > them manually during backup/restore. Without testing, which would be make/model/firmware specific, it's not certain what really happens on flash memory chips themselves. ATA Secure Erase is probably the better recommendation but as both ultimately depend on drive firmware to fulfill the operation, it's really a big *shrug* and therefore I reject the idea that there is a clear line in the sand. It should be true and probably is true that Secure Erase Enhanced or Sanitize are better than blkdiscard. But if it's uncertain, on what basis is a line drawn? Upstreams can state the facts including the unknowns, and help user and distros draw their own line. But consider that as a direct consequence of the burden to backup->luksFormat>restore, quite a lot of users opt out of encryption entirely. The point of in-place conversion isn't perfect security. It's to get more users to opt in, by reducing the penalty of opting in. False sense of security? We have this problem already with cryptsetup --allow-discards leaking fs specific locality in combination with fstrim. And fscrypt() leaks quite a lot of metadata. And the ATA spec allows reserve and overprovision areas to not be erased with Secure Erase, where either Secure Erase Enhanced and Sanitize should cover those areas. In place conversion can be better supported in more sophisticated environments. Linux installers are already overly complicated and soak limited resources maintaining them Opting into encryption right now essentially requires either installer support or the burden of backup restore. That's not great choices. And what installers provide an ATA Secure Erase or Sanitize option? I don't know of any. Conversely, Windows and macOS use comparatively brain dead installers (very simplistic UI, perhaps a few choices at most, pretty much amounting to point at a target and push a button). Easy to install. Easy to make the encryption decision later without the penalty of backup restore. Perfectly secure encryption? I don't know. But the barrier to entry is low. It is a very different problem where to find the resources to build in-place conversion. But I think it's unwittingly asking more users to forgo encryption at all to argue against it on the basis that it's somehow a significant security risk. How many hours, days or weeks of typical usage do you think takes before all cells have either been erased or overwritten by encrypted data? There is interim exposure, that some use case will care about, but some won't. And that might be more useful in assessing a personal line in the sand than categorically saying in-place conversion gives a false sense of security. -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 18:24 ` Chris Murphy @ 2019-12-16 18:49 ` Arno Wagner 2019-12-16 20:46 ` Chris Murphy 2019-12-16 21:33 ` Michael Kjörling 2019-12-17 17:07 ` Jordan Glover 2 siblings, 1 reply; 21+ messages in thread From: Arno Wagner @ 2019-12-16 18:49 UTC (permalink / raw) To: dm-crypt On Mon, Dec 16, 2019 at 19:24:33 CET, Chris Murphy wrote: [...] > But consider that as a direct consequence of the burden to > backup->luksFormat>restore, quite a lot of users opt out of encryption > entirely. The point of in-place conversion isn't perfect security. > It's to get more users to opt in, by reducing the penalty of opting > in. But why would you _want_ users to "opt in"? It seems like entirely the wrong thing to do to me. First consider that the users you are talking about do not have backups. Hence their data must be basically worthless anyways! Second, their data is so little in need of protection that something as simple and as a backup already makes them do without encryption. Hence their data must actually not be sensitive in any way! Given these two things, why on earth do you want these people to use encryption? Security comes at a price. That price has to be paid. No price - no security. There is _no_ way to fix this and trying to do so only does damage to the user by making things too complex for them to handle. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 18:49 ` Arno Wagner @ 2019-12-16 20:46 ` Chris Murphy 2019-12-16 22:08 ` Arno Wagner 0 siblings, 1 reply; 21+ messages in thread From: Chris Murphy @ 2019-12-16 20:46 UTC (permalink / raw) To: dm-crypt On Mon, Dec 16, 2019 at 11:52 AM Arno Wagner <arno@wagner.name> wrote: > > On Mon, Dec 16, 2019 at 19:24:33 CET, Chris Murphy wrote: > [...] > > But consider that as a direct consequence of the burden to > > backup->luksFormat>restore, quite a lot of users opt out of encryption > > entirely. The point of in-place conversion isn't perfect security. > > It's to get more users to opt in, by reducing the penalty of opting > > in. > > But why would you _want_ users to "opt in"? It seems like entirely > the wrong thing to do to me. First consider that the users > you are talking about do not have backups. Hence their data must > be basically worthless anyways! First, this is a distraction and not relevant. It conflats confidentiality with integrity/availability of the data. That the data should be private/remain confidential is not related to it's long term value. Second, blkdiscard and fstrim can merely flag cells for erasure, or merely dereference LBAs. No assurance the cells are actually erased or when they will be erased. It's the same as the firmware passively determining cells can be marked for erasure upon LBA overwrite of an in-place conversion. Is it your position that only Security Erase, Security Erase Enhanced, or Sanitize avoid giving the user a false sense of security? In which case, now the procedure requires a complete wipe of the drive. And that means a fully offline process to conduct the restore until it is complete during which time the system is not usable. And it's extra burdensome for dual boot users, who must do two full reinstallations and restores of those two operating systems. >Second, their data is so little > in need of protection that something as simple and as a backup > already makes them do without encryption. Hence their data must > actually not be sensitive in any way! I reject the premise entirely. And it ignores users who have done a backup, who still have a significantly greater burden put on them through esoteric processes necessary to do encryption after the fact, and a monolithic restore from backup which prevents them from working until the restore is complete. That is not the case with in-place conversion - the system is completely transparently usable the entire time including reboots and shutdowns. > Given these two things, why on earth do you want these people > to use encryption? I think these are weak arguments, in addition to wholesale ignoring users who do backup who still have an unreasonable burden put on them by existing choices: install time encryption or post-install partition ninja and offline restore. The vastly stronger argument is: this is really hard to do and we don't want to do it. Papering over that with unpersuasive security concerns, and making assumptions about whether users backup or not, doesn't progress the conversation. > Security comes at a price. That price has to be paid. > No price - no security. There is _no_ way to fix this and trying > to do so only does damage to the user by making things too complex > for them to handle. The backup restore proposal is too complex, it's why users don't opt in now. It's why alternatives are being explored by downstreams. The argument that the user is at greater risk with an in-place conversion than backup restore, neither depending on prior Secure Erase or Sanitize but only depending on trim/discard, is not persuasive. Such preparation is not built-in for any distro installer with which I'm familiar, not even as an option let alone by default. Secure Erase is esoteric knowledge. I would be surprised if 1 in 1000 users has heard of it. -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 20:46 ` Chris Murphy @ 2019-12-16 22:08 ` Arno Wagner 0 siblings, 0 replies; 21+ messages in thread From: Arno Wagner @ 2019-12-16 22:08 UTC (permalink / raw) To: dm-crypt On Mon, Dec 16, 2019 at 21:46:40 CET, Chris Murphy wrote: > On Mon, Dec 16, 2019 at 11:52 AM Arno Wagner <arno@wagner.name> wrote: > > > > On Mon, Dec 16, 2019 at 19:24:33 CET, Chris Murphy wrote: > > [...] > > > But consider that as a direct consequence of the burden to > > > backup->luksFormat>restore, quite a lot of users opt out of encryption > > > entirely. The point of in-place conversion isn't perfect security. > > > It's to get more users to opt in, by reducing the penalty of opting > > > in. > > > > But why would you _want_ users to "opt in"? It seems like entirely > > the wrong thing to do to me. First consider that the users > > you are talking about do not have backups. Hence their data must > > be basically worthless anyways! > > First, this is a distraction and not relevant. It conflats > confidentiality with integrity/availability of the data. That the data > should be private/remain confidential is not related to it's long term > value. It is related to whether they have a backup procedure in place or not. If you find that irrelevant, then I really cannot help you. Doing any kind of partition or filesystem manipulation without a current, good backup is foolish at best and asking for data loss at worst. And no, I am not open to debate on this. > Second, blkdiscard and fstrim can merely flag cells for erasure, or > merely dereference LBAs. No assurance the cells are actually erased or > when they will be erased. It's the same as the firmware passively > determining cells can be marked for erasure upon LBA overwrite of an > in-place conversion. > > Is it your position that only Security Erase, Security Erase Enhanced, > or Sanitize avoid giving the user a false sense of security? In which > case, now the procedure requires a complete wipe of the drive. And > that means a fully offline process to conduct the restore until it is > complete during which time the system is not usable. And it's extra > burdensome for dual boot users, who must do two full reinstallations > and restores of those two operating systems. Who are you answering to here? _My_ position is that the only way to securely erase an SSD is physical destruction. > >Second, their data is so little > > in need of protection that something as simple and as a backup > > already makes them do without encryption. Hence their data must > > actually not be sensitive in any way! > > I reject the premise entirely. And I reject your rejection entirely as well. It seems to me _you_ want to push something on users that they do not actually want or need. And you have presented exactly zero good arguments so far why people should encrypt. > And it ignores users who have done a > backup, who still have a significantly greater burden put on them > through esoteric processes necessary to do encryption after the fact, > and a monolithic restore from backup which prevents them from working > until the restore is complete. That is not the case with in-place > conversion - the system is completely transparently usable the entire > time including reboots and shutdowns. Excuse me? Since when is doing a backup and restore in any way "esoteric"? How much experience do you have with this "computing" thing? Also, what makes you think that in-place conversion can easily reach the level of resilience you assume it has? Getting there takes a _lot_ of testing and very defensive and careful coding and it may well have to include other layers than the one LUKS resides in. > > Given these two things, why on earth do you want these people > > to use encryption? > > I think these are weak arguments, Do you have any actual argument here? Because it does not seem you have any... > in addition to wholesale ignoring > users who do backup who still have an unreasonable burden put on them > by existing choices: install time encryption or post-install partition > ninja and offline restore. How on earth can you call this an "unreasonable burden"? > The vastly stronger argument is: this is really hard to do and we > don't want to do it. Ok, I see you are not actually interested in any facts here, you just want to push your view. Even minimal standards of competent private IT operation do include backup and restore as standard operations. > Papering over that with unpersuasive security concerns, and making > assumptions about whether users backup or not, doesn't progress the > conversation. As does allowing exactly no progress except in the direction you are trying to force. And please stop the cheap propaganda language. It is insulting. And it convinces nobody. > > Security comes at a price. That price has to be paid. > > No price - no security. There is _no_ way to fix this and trying > > to do so only does damage to the user by making things too complex > > for them to handle. > > The backup restore proposal is too complex, it's why users don't opt > in now. It's why alternatives are being explored by downstreams. Empty, unfounded claim. Why again do you want users to "opt in"? Oh, right, You did not say. > The argument that the user is at greater risk with an in-place > conversion than backup restore, neither depending on prior Secure > Erase or Sanitize but only depending on trim/discard, is not > persuasive. I did not make that argument. > Such preparation is not built-in for any distro installer > with which I'm familiar, not even as an option let alone by default. > Secure Erase is esoteric knowledge. I would be surprised if 1 in 1000 > users has heard of it. And that is why I recommend physical destruction instead. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 18:24 ` Chris Murphy 2019-12-16 18:49 ` Arno Wagner @ 2019-12-16 21:33 ` Michael Kjörling 2019-12-16 22:17 ` Chris Murphy 2019-12-17 17:07 ` Jordan Glover 2 siblings, 1 reply; 21+ messages in thread From: Michael Kjörling @ 2019-12-16 21:33 UTC (permalink / raw) To: dm-crypt On 16 Dec 2019 11:24 -0700, from lists@colorremedies.com (Chris Murphy): > In place conversion can be better supported in more sophisticated > environments. Linux installers are already overly complicated and soak > limited resources maintaining them Opting into encryption right now > essentially requires either installer support or the burden of backup > restore. That's not great choices. And what installers provide an ATA > Secure Erase or Sanitize option? I don't know of any. I don't know about current Mac OS X, but Windows has it far easier. They only support two (three if you count ReFS) file systems, and IIRC only NTFS can be used on the system partition. An in-place conversion from unencrypted to encrypted can be developed and tested _relatively_ painlessly when you basically only need to support _one_ format within the encrypted container, whether the container format is called LUKS or BitLocker or something else. Contrast this to LUKS on Linux, which can be used with anything from no file system at all to file systems you might not have even heard of. Okay, it's probably fairly simple to do an in-place conversion of a container that contains just an ext4 file system, and it's probably a reasonable first step since ext4 is so commonly used. What if what's in the container is a part of a volume group? What if it's a part of a MD RAID array? What if it's a part of a Btrfs file system? A part of a ZFS vdev? (In the case of the latter two, either mirrored or RAID5/6-esque.) Or XFS? How about a squashfs? And that's just to list a few. And that's before we consider people potentially doing crazy things like putting a LUKS container inside a LUKS container. Or people who still use LILO. Sure, for some of those, you might say "we don't need to cater to those cases for online migration from unencrypted to encrypted". But that, too, is drawing a largely arbitrary line somewhere. What says one thing goes on one side of that line, and another goes on the other side, except someone's say-so? The seemingly obvious solution indeed is to have an unencrypted LUKS container pre-prepared, at which point it's possible to do at least an offline reencryption in-place with current tools. But then the issue indeed becomes that you've got metadata that indicates you've got something which is normally encrypted, except in this one case where it isn't. That seems likely to trip at least a moderate number of people up because they'd look, see LUKS, and conclude that their data is protected, when in fact it isn't. Every tool that identifies something as a LUKS container would, at a minimum, need to peek into it to identify the "unencrypted LUKS" special case to protect against this. Which again is much easier when you control the entire operating system, including the system software. > Conversely, Windows and macOS use comparatively brain dead installers > (very simplistic UI, perhaps a few choices at most, pretty much > amounting to point at a target and push a button). Easy to install. > Easy to make the encryption decision later without the penalty of > backup restore. Perfectly secure encryption? I don't know. But the > barrier to entry is low. I don't think I'd call the Windows installer "brain dead". Simplified, yes, but that's not the same thing. They hide a lot of the complexity which of course also means that when you _do_ have a legitimate need to do something out of the ordinary, you generally can't. There are Linux distributions with installers that aren't a great deal more complex than the Windows installer, especially if you go for the "simple" installation. Of course, if you take a distribution that's already geared toward power users, and use its advanced installation mode, you're going to be presented with a lot of choices, but only because you asked to be. As for backups; encryption increases the risk of data loss. I don't know off hand how long you've been on the list, but it happens usually a few times per year that someone asks how to recover their data because they can't open the LUKS container normally. _People in general don't have backups. My experience is that even fairly technically savvy people often don't have backups._ By adding encryption, especially with something like LUKS' anti-forensic properties, you (general "you") are increasing the risk of data loss quite significantly, because you go from what would otherwise be a trivial problem to making the same situation a catastrophic problem. I'm not a fan of scary UI messages, but I do feel that that _should_ come with big warning labels, so that the user is at least _aware_ of what they are doing and its implications. -- Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?” ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 21:33 ` Michael Kjörling @ 2019-12-16 22:17 ` Chris Murphy 0 siblings, 0 replies; 21+ messages in thread From: Chris Murphy @ 2019-12-16 22:17 UTC (permalink / raw) To: Michael Kjörling; +Cc: dm-crypt On Mon, Dec 16, 2019 at 2:36 PM Michael Kjörling <michael@kjorling.se> wrote: > > On 16 Dec 2019 11:24 -0700, from lists@colorremedies.com (Chris Murphy): > > In place conversion can be better supported in more sophisticated > > environments. Linux installers are already overly complicated and soak > > limited resources maintaining them Opting into encryption right now > > essentially requires either installer support or the burden of backup > > restore. That's not great choices. And what installers provide an ATA > > Secure Erase or Sanitize option? I don't know of any. > > I don't know about current Mac OS X, but Windows has it far easier. > They only support two (three if you count ReFS) file systems, and IIRC > only NTFS can be used on the system partition. An in-place conversion > from unencrypted to encrypted can be developed and tested _relatively_ > painlessly when you basically only need to support _one_ format within > the encrypted container, whether the container format is called LUKS > or BitLocker or something else. > > Contrast this to LUKS on Linux, which can be used with anything from > no file system at all to file systems you might not have even heard > of. Okay, it's probably fairly simple to do an in-place conversion of > a container that contains just an ext4 file system, and it's probably > a reasonable first step since ext4 is so commonly used. What if what's > in the container is a part of a volume group? What if it's a part of a > MD RAID array? What if it's a part of a Btrfs file system? A part of a > ZFS vdev? (In the case of the latter two, either mirrored or > RAID5/6-esque.) Or XFS? How about a squashfs? And that's just to list > a few. And that's before we consider people potentially doing crazy > things like putting a LUKS container inside a LUKS container. Or > people who still use LILO. I fully agree with all of these as possibly insurmountable hurdles, and the ensuing liabilities to develop, test, and maintain it. It's very much a exploded test matrix. These big companies have the luxury of lots of money and edicts mandate very narrowed scope. I can't argue with "it's too difficult to support it all as well as fully prevent crazy things" and it very well may be that the interest or even resource level isn't there to support subjectively narrowed solutions. That's compatible with my previous email. > > Sure, for some of those, you might say "we don't need to cater to > those cases for online migration from unencrypted to encrypted". But > that, too, is drawing a largely arbitrary line somewhere. What says > one thing goes on one side of that line, and another goes on the other > side, except someone's say-so? Resources. Interest. Expertise. The line is perhaps two parts subjective, one part objective. There is nothing wrong with that. It's not arbitrary or capricious. > The seemingly obvious solution indeed is to have an unencrypted LUKS > container pre-prepared, at which point it's possible to do at least an > offline reencryption in-place with current tools. But then the issue > indeed becomes that you've got metadata that indicates you've got > something which is normally encrypted, except in this one case where > it isn't. That seems likely to trip at least a moderate number of > people up because they'd look, see LUKS, and conclude that their data > is protected, when in fact it isn't. Every tool that identifies > something as a LUKS container would, at a minimum, need to peek into > it to identify the "unencrypted LUKS" special case to protect against > this. Which again is much easier when you control the entire operating > system, including the system software. What about a totally different "dummy" LUKS format, that is a place holder expressly for this purpose? Gets it's own magic, and libblkid would know about it, and therefore there'd be no confusion or wrong assumptions about it being encrypted? A "pre-gap" or "pre-partition" in front of the file system? Would mount need to know how to deal with it directly, or would it always need to be "opened" and the contained file system presented as a dm block device? > As for backups; encryption increases the risk of data loss. I don't > know off hand how long you've been on the list, but it happens usually > a few times per year that someone asks how to recover their data > because they can't open the LUKS container normally. Days, week. I saw one maybe minutes after my first post. I've been on linux-raid, lvm, and Btrfs lists for years and I'm aware of the common case of user induced data loss. >_People in > general don't have backups. My experience is that even fairly > technically savvy people often don't have backups._ By adding > encryption, especially with something like LUKS' anti-forensic > properties, you (general "you") are increasing the risk of data loss > quite significantly, because you go from what would otherwise be a > trivial problem to making the same situation a catastrophic problem. > I'm not a fan of scary UI messages, but I do feel that that _should_ > come with big warning labels, so that the user is at least _aware_ of > what they are doing and its implications. Yeah I consider it an unsolved problem in computer science generally; if there is a false sense of security that has meaningful impact on people's lives, it is the complacency of not knowing what to be worried about and the disproportionate penalties that can just appear. Maybe it's just early days of computing, we're still toddlers, we still fall down and get hurt and all we can do is dust ourselves off and be a little more careful next time. -- Chris Murphy ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-16 18:24 ` Chris Murphy 2019-12-16 18:49 ` Arno Wagner 2019-12-16 21:33 ` Michael Kjörling @ 2019-12-17 17:07 ` Jordan Glover 2019-12-18 0:24 ` Arno Wagner 2 siblings, 1 reply; 21+ messages in thread From: Jordan Glover @ 2019-12-17 17:07 UTC (permalink / raw) To: Chris Murphy; +Cc: dm-crypt On Monday, December 16, 2019 6:24 PM, Chris Murphy <lists@colorremedies.com> wrote: > On Mon, Dec 16, 2019 at 10:08 AM Jordan Glover > Golden_Miller83@protonmail.ch wrote: > > > On Sunday, December 15, 2019 8:49 PM, Chris Murphy lists@colorremedies.com wrote: > > > > > On Sun, Dec 15, 2019 at 10:51 AM Jordan Glover > > > Golden_Miller83@protonmail.ch wrote: > > > > > > > I think encrypting previously unencrypted data on the same disk > > > > doesn't guarantee that old data won't be recoverable especially > > > > on ssd/nvme which are ubiquitous today. Officially supporting > > > > such case on LUKS will give users false sense of security of > > > > their data. > > > > > > This problem exists even in the backup and restore to LUKS encrypted > > > volume case. In fact it's less reliable because there's no assurance > > > with backup->restore method that all previously occupied LBAs are > > > overwritten, whereas an inplace conversion can assure that all LBAs in > > > the previous range are read and encrypted. It's a matter of > > > implementation, there's the potential for false sense of security > > > regardless. > > > Chris Murphy > > > > AFAIK simply overwriting data isn't reliable method for cleaning ssd/nvme. > > For those either ATA SECURE ERASE[1] or blkdiscard[2] should be used. > > Unless I'm mistaken, inplace conversion does neither while user can run > > them manually during backup/restore. > > Without testing, which would be make/model/firmware specific, it's not > certain what really happens on flash memory chips themselves. ATA > Secure Erase is probably the better recommendation but as both > ultimately depend on drive firmware to fulfill the operation, it's > really a big shrug and therefore I reject the idea that there is a > clear line in the sand. It should be true and probably is true that > Secure Erase Enhanced or Sanitize are better than blkdiscard. But if > it's uncertain, on what basis is a line drawn? Upstreams can state > the facts including the unknowns, and help user and distros draw their > own line. > From my own testing I could trivially recover files after overwrite but not after blkdiscard. I can't rule out that some hardware hackers can recover data after blkdiscard or secure erase but for me the line in the sand lies between hardware hackers and average Jane that uses google. > But consider that as a direct consequence of the burden to > backup->luksFormat>restore, quite a lot of users opt out of encryption > > entirely. The point of in-place conversion isn't perfect security. > It's to get more users to opt in, by reducing the penalty of opting > in. > > False sense of security? We have this problem already with cryptsetup > --allow-discards leaking fs specific locality in combination with > fstrim. And fscrypt() leaks quite a lot of metadata. And the ATA spec > allows reserve and overprovision areas to not be erased with Secure > Erase, where either Secure Erase Enhanced and Sanitize should cover > those areas. > allow-discards downsides are in different league that recovering unencrypted data. I believe users will be better off while not using encryption and knowing that than using encryption in insecure way without knowing that. > In place conversion can be better supported in more sophisticated > environments. Linux installers are already overly complicated and soak > limited resources maintaining them Opting into encryption right now > essentially requires either installer support or the burden of backup > restore. That's not great choices. And what installers provide an ATA > Secure Erase or Sanitize option? I don't know of any. > > Conversely, Windows and macOS use comparatively brain dead installers > (very simplistic UI, perhaps a few choices at most, pretty much > amounting to point at a target and push a button). Easy to install. > Easy to make the encryption decision later without the penalty of > backup restore. Perfectly secure encryption? I don't know. But the > barrier to entry is low. > I believe referring to Windows as role example undermines your arguments rather than making them more compelling. Windows has history of "user friendliness" like preferring hardware encryption which ended as security failure: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028 It also leverages beloved tpm module: https://pulsesecurity.co.nz/articles/TPM-sniffing Whatever windows do with encryption it's anti-pattern and cryptsetup should stay away from that. Even on linux the "user friendly" installers were storing luks key in plaintext accessible to anyone: https://calamares.io/calamares-3.2.11-is-out/ > It is a very different problem where to find the resources to build > in-place conversion. But I think it's unwittingly asking more users to > forgo encryption at all to argue against it on the basis that it's > somehow a significant security risk. How many hours, days or weeks of > typical usage do you think takes before all cells have either been > erased or overwritten by encrypted data? There is interim exposure, > that some use case will care about, but some won't. And that might be > more useful in assessing a personal line in the sand than > categorically saying in-place conversion gives a false sense of > security. > > Chris Murphy I agree that security is hard and users are unsophisticated but I'm not convinced what you propose will help those people rather than hurt them. It's easy to imagine that people will believe that their data is encrypted after install if they use luks and miss the fact that some action is needed to actually enable encryption. Jordan ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [dm-crypt] LUKS2 support for null/plaintext target 2019-12-17 17:07 ` Jordan Glover @ 2019-12-18 0:24 ` Arno Wagner 0 siblings, 0 replies; 21+ messages in thread From: Arno Wagner @ 2019-12-18 0:24 UTC (permalink / raw) To: dm-crypt On Tue, Dec 17, 2019 at 18:07:11 CET, Jordan Glover wrote: > On Monday, December 16, 2019 6:24 PM, Chris Murphy <lists@colorremedies.com> wrote: [...] > > It is a very different problem where to find the resources to build > > in-place conversion. But I think it's unwittingly asking more users to > > forgo encryption at all to argue against it on the basis that it's > > somehow a significant security risk. How many hours, days or weeks of > > typical usage do you think takes before all cells have either been > > erased or overwritten by encrypted data? There is interim exposure, > > that some use case will care about, but some won't. And that might be > > more useful in assessing a personal line in the sand than > > categorically saying in-place conversion gives a false sense of > > security. > > > > Chris Murphy > > I agree that security is hard and users are unsophisticated but I'm not > convinced what you propose will help those people rather than hurt them. > It's easy to imagine that people will believe that their data is encrypted > after install if they use luks and miss the fact that some action is needed > to actually enable encryption. > > Jordan I agree on that. And here we have a responsibility: It must be as hard as possible to screw this up and the state things are in must be as obvious as possible. It is better if getting encryption requires some work and some reading, than if it is easy to mistake the state of things and thinking you are secure when you are not. That way, anybody that really cares will have encrytion and anybody that finds this too much of a bother will not have encryption, but they will all know where they stand. Also, I have absolutely no tolerance for the idea that everyting with computers must be (apparently) easy and simple. We spend years teching kids to learn how to read and write, but somehow when using the most sophisticated tech the human race has ever made, everything must be a single click. That is obvious nonsense and catering to this mindset does damage. What should be be done instead is to make it as clear as possible that some things are hard to do, hard to understand and that there is no replacement for finding out. That way, nobody will be fooled into thinking things are easy that are not, just because they have been designed to appear to be easy. You cannot make complicated things simple. Complexity can be hidden but only in mature tech can it be removed. In computers (which are anything but mature) you can only lie to the users, to their detriment. Regards, Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2019-12-18 0:24 UTC | newest] Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-12-06 23:10 [dm-crypt] LUKS2 support for null/plaintext target Chris Murphy 2019-12-07 9:39 ` Michael Kjörling 2019-12-08 16:59 ` Chris Murphy 2019-12-13 14:59 ` Milan Broz 2019-12-13 18:54 ` Chris Murphy 2019-12-13 21:41 ` Arno Wagner 2019-12-14 4:28 ` Robert Nichols 2019-12-14 14:42 ` Arno Wagner 2019-12-14 21:18 ` Chris Murphy 2019-12-15 17:51 ` Jordan Glover 2019-12-15 19:12 ` Arno Wagner 2019-12-15 20:49 ` Chris Murphy 2019-12-16 17:08 ` Jordan Glover 2019-12-16 18:24 ` Chris Murphy 2019-12-16 18:49 ` Arno Wagner 2019-12-16 20:46 ` Chris Murphy 2019-12-16 22:08 ` Arno Wagner 2019-12-16 21:33 ` Michael Kjörling 2019-12-16 22:17 ` Chris Murphy 2019-12-17 17:07 ` Jordan Glover 2019-12-18 0:24 ` Arno Wagner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.