[133495] in North American Network Operators' Group
Re: Windows Encryption Software
daemon@ATHENA.MIT.EDU (William Herrin)
Fri Dec 10 10:59:17 2010
In-Reply-To: <87zksdbw6o.fsf@mid.deneb.enyo.de>
From: William Herrin <bill@herrin.us>
Date: Fri, 10 Dec 2010 10:58:48 -0500
To: Florian Weimer <fw@deneb.enyo.de>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> Software-based solutions have the advantage that they are somewhat
> more testable and reviewable. =A0If it's all in the disk, you can't
> really be sure that the data is encrypted with a static key, and the
> passphrase is used for access control only. =A0The latter approach seems
> to be somewhat common with encrypting storage devices, unfortunately.
It's not just common; it's the official standard. The API doesn't let
you set the key or read the bare data. It let's you input a password
to unlock both drive and encryption key and it let's you tell the
drive to generate a new encryption key ("cryptographic erase"). So
yes, you have to trust that the manufacturer is doing what they claim.
This caused me some concern when I first got it, but at the end of the
day I'm not trying to protect my files from someone with the resources
to reconfigure hard drives in a way that allows them to go after the
raw data without entering the password. I'm trying to protect them
from the casual roadside thief.
-Bill
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
