[BBLISA] Looking for FDE single system windows 8
Rich Braun
richb at pioneer.ci.net
Sat Jan 24 02:51:09 EST 2015
> On 2015/01/23 15:34, Daniel Feenberg wrote:
>> On Fri, 23 Jan 2015, John Orthoefer wrote:
>> The vendor literature is long on the benefits, but short description.
>
> Halleluja, brother, amen!
SERIOUSLY. Encryption in 2015 should just plain work, and shouldn't be the big
PITA that it truly is. At work I've watched my cloud-based service go from
zero to $16M/year in the past 12-15 months, and we're still just using the
lame AWS "at-rest" encryption which protects against exactly one type of
threat: someone showing up at the data center with a weapon demanding the hard
drives. It's the least-likely thing to ever happen, why bother with that at
all.
At home I've done something a whole lot more robust. The demise of TrueCrypt
last year, along with a home burglary during which a thief snatched a
non-encrypted Windows laptop, motivated me to get a bit more serious about
encryption. Alas, without TrueCrypt you're left with one type of encryption
for Mac OS X, another for Windows, and a third for Linux (FileVault, Bit
Locker, LUKS--all different, but all relying on the same AES extension in your
average Intel CPU).
Weeks into my effort, and now a few months later, I have a very nice LUKS
setup protecting my servers and one of my desktops. But if I suddenly got hit
by a bus, it's not clear my heirs would readily be able to get into the data
they'd care about. It was way too hard to set up the right way (putting the
keys onto USB thumb drives, making copies, creating a Raspberry Pi key-server,
setting up sshfs mounts for unattended reboot, etc). And burglaries are only a
relatively minor threat; the bigger threat is in user-space from Internet and
virus attacks, which full-disk encryption does nothing to protect against.
Vormetric's the most sophisticated commercial product, supporting block-level
encryption within user-space, but it's hellaciously expensive. My freeware
LUKS setup will keep out the burglars but that's about all.
Gotta be a better way.
-rich
More information about the bblisa
mailing list