[133513] in North American Network Operators' Group
Re: Windows Encryption Software
daemon@ATHENA.MIT.EDU (Chad Dailey)
Fri Dec 10 13:16:50 2010
In-Reply-To: <AANLkTimYbXQ4fQ1jpBiM4bSc0RQhgV8tarr-fmqYKgby@mail.gmail.com>
Date: Fri, 10 Dec 2010 12:16:46 -0600
From: Chad Dailey <nanog@thedaileyplanet.com>
To: William Herrin <bill@herrin.us>
Cc: nanog group <nanog@nanog.org>
Reply-To: nanog@thedaileyplanet.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
http://xkcd.com/538/
On Fri, Dec 10, 2010 at 9:58 AM, William Herrin <bill@herrin.us> wrote:
> On Fri, Dec 10, 2010 at 8:21 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> > Software-based solutions have the advantage that they are somewhat
> > more testable and reviewable. If it's all in the disk, you can't
> > really be sure that the data is encrypted with a static key, and the
> > passphrase is used for access control only. The latter approach seems
> > to be somewhat common with encrypting storage devices, unfortunately.
>
> It's not just common; it's the official standard. The API doesn't let
> you set the key or read the bare data. It let's you input a password
> to unlock both drive and encryption key and it let's you tell the
> drive to generate a new encryption key ("cryptographic erase"). So
> yes, you have to trust that the manufacturer is doing what they claim.
>
> This caused me some concern when I first got it, but at the end of the
> day I'm not trying to protect my files from someone with the resources
> to reconfigure hard drives in a way that allows them to go after the
> raw data without entering the password. I'm trying to protect them
> from the casual roadside thief.
>
> -Bill
>
>
>
> --
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>
>
