[ / / / / / / / / / / / / / ] [ dir / random / 93 / biohzrd / hkacade / hkpnd / tct / utd / uy / yebalnia ]

/g/ - Technology

Make /g/ Great Again

Name
Email
Subject
REC
STOP
Comment *
File
Password (Randomized for file and post deletion; you may also set your own.)
Archive
* = required field[▶Show post options & limits]
Confused? See the FAQ.
Embed
(replaces files and can be used instead)
Options
dicesidesmodifier

Allowed file types:jpg, jpeg, gif, png, webp,webm, mp4, mov, swf, pdf
Max filesize is16 MB.
Max image dimensions are15000 x15000.
You may upload5 per post.


File: 6458b309626d5e7⋯.png (100.95 KB,786x423,262:141,luks.png)

 No.13278

Let's talk FDE.

Which cipher/mode/iv combo is best?

Key file or passphrase?

Detached header for plausible deniability?

Are there scenarios where plain mode is better than LUKS?

What are some extra steps you take to secure your setup?

____________________________
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13291

>>13278

VeraCrypt

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13293

>>13278

I've never done a full disk encryption. I've done a home directory encryption, but that shit meant it took an extra 15s to boot.

>Detached header for plausible deniability?

Forgive me if this is a nigger tier question, but what are those?

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13296

Passphrase is fine just use some gui, which shows how many chars you tipe, because it's pain in the ass otherwise. Only other step I take to secure is long passphrases which are also all different for all devices and don't save them anywhere. and I don't store them in any password manager. All in my head.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13357

>>13278

The best option for Linux is headerless (detached header) LUKS2 with Serpent in XTS or LRW mode, Argon2(id) as KDF and Whirlpool or SHA-512 as hash function.

OpenBSD has two options: the old one: VND (limited to blowfish only) and the new one: SoftRaid (AES-XTS and bcrypt or PKCS#5 PBKDF2 as KDF). It's obvious which one of them you should use.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13358

>>13293

Detached header means the header is not in disk, therefore is impossible to decrypt it. A LUKS container needs to read an header to be decrypted (because of the salt per-key used to generate the master key).

A good way to do LUKS encryption is to put the header and kernel in a USB driver. That means your disk can only be decrypted if the USB is plugged.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13359

Just about anything but hardware based. You may cry foul for even saying it, but even Microsoft has extensive testing in comparison (although Bitlocker will default to hw encryption if your drive has it.. which is dumb imo).

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13410

>>13359

What's wrong with hardware based encryption?

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13420

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13534

>>13358

>our disk can only be decrypted if the USB is plugged.

wow, i cant see that ever being a problem

like when my phone was stolen and i lost access to my goymail account.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13547

bfhuthjk

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13561

Gjsjsj

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13583

>>13410

Hardware based encryption is a joke. Cloudflare uses a custom rig of lava lamps (lavarand) to generate enough entropy in their software. Don't rely on some bitch ass hard drives for encryption with high entropy keys.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13609

>>13410

>blindly trusting closed source firmware

yeah every manufacturer implements encryption without flaws

https://www.tomshardware.com/news/crucial-samsung-ssd-encryption-bypassed,38025.html

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.

 No.13988

I once read an article warning that none of them are really that safe. If some contents of the container are known, the password can be found out. I'm not trying to discourage anyone from using the ones we have.Though, I think we need something else.

Something along the lines of creating a schema based on the password, then creating a password for each file and also renaming the encrypted file, maybe even changing the size. This would be slow and only useful for the home dir. Maybe files would only be decrypted after clicking on a placeholder file, which would be shown in the folder after using the password. That should at least be an option, because decrypting the whole disk would take some time.

Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.



[Return][Go to top][Catalog][Nerve Center][Random][Post a Reply]
Delete Post [ ]
[]
[ / / / / / / / / / / / / / ] [ dir / random / 93 / biohzrd / hkacade / hkpnd / tct / utd / uy / yebalnia ]