What kind of "attacker" do you want to protect against? Which encryption setup is appropriate for you will depend on your goals (please read #Why use encryption? above) and system parameters.Īmong other things, you will need to answer the following questions: Another benefit of system data encryption is that it complicates the installation of malware like keyloggers or rootkits for someone with physical access. This however comes with the disadvantage that unlocking of the encrypted parts of the disk has to happen at boot time. The solution is to encrypt both system and user data, preventing unauthorized physical access to private data that may be cached by the system. /var (log files and databases and such for example, mlocate stores an index of all file names in /var/lib/mlocate/mlocate.db).(potential remedies: avoid such applications mount /tmp inside a ramdisk)./tmp (temporary files created by user applications).(potential remedies: disable swapping, or use encrypted swap as well).In modern computer systems, there are many background processes that may cache and store information about user data or parts of the data itself in non-encrypted areas of the hard drive, like: While encrypting only the user data itself (often located within the home directory, or on removable media like a data DVD), is the simplest and least intrusive method, it has some significant drawbacks. The best remedy might be hardware-based full-disk encryption and Trusted Computing. And even then it cannot prevent all types of tampering (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system before you use it. Regular backups are recommended to keep your data safe.Ī very strong disk encryption setup (e.g. Also see XKCD #538ĭata-at-rest encryption also will not protect you against someone simply wiping your disk. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest. A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of coercion.Attackers who are able to gain physical access to the computer while it is running (even if you use a screenlocker), or very shortly after it was running, if they have the resources to perform a cold boot attack.over the Internet) while it is running and after you have already unlocked and mounted the encrypted parts of the disk. Attackers who can break into your system (e.g.Warning: Data-at-rest encryption does not protect your data from all threats. In addition, data-at-rest encryption can also be used to add some security against unauthorized attempts to tamper with your operating system – for example, the installation of keyloggers or Trojan horses by attackers who can gain physical access to the system while you are away. lost or stolen, as with laptops, netbooks or external storage devices.located in a place to which non-trusted people might gain access while you are away.An unauthorized person looking at the disk contents directly, will only find garbled random-looking data instead of the actual files.įor example, this can prevent unauthorized viewing of the data when the computer or hard-disk is: The files only become available to the operating system and applications in readable form while the system is running and unlocked by a trusted user (data in use or in transit). Examples for block devices are hard drives, flash drives and DVDs.ĭata-at-rest encryption should only be viewed as an adjunct to the existing security mechanisms of the operating system - focused on securing physical access, while relying on other parts of the system to provide things like network security and user-based access control.ĭata-at-rest encryption ensures that files are always stored on disk in an encrypted form. This article discusses data-at-rest encryption software, which on-the-fly encrypts / decrypts data written to / read from a block device, disk partition or directory.
0 Comments
Leave a Reply. |