No.13278
Let's talk FDE.
Which cipher/mode/iv combo is best?
Key file or passphrase?
Detached header for plausible deniability?
Are there scenarios where plain mode is better than LUKS?
What are some extra steps you take to secure your setup?
____________________________
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13291
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13293
>>13278
I've never done a full disk encryption. I've done a home directory encryption, but that shit meant it took an extra 15s to boot.
>Detached header for plausible deniability?
Forgive me if this is a nigger tier question, but what are those?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13296
Passphrase is fine just use some gui, which shows how many chars you tipe, because it's pain in the ass otherwise. Only other step I take to secure is long passphrases which are also all different for all devices and don't save them anywhere. and I don't store them in any password manager. All in my head.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13357
>>13278
The best option for Linux is headerless (detached header) LUKS2 with Serpent in XTS or LRW mode, Argon2(id) as KDF and Whirlpool or SHA-512 as hash function.
OpenBSD has two options: the old one: VND (limited to blowfish only) and the new one: SoftRaid (AES-XTS and bcrypt or PKCS#5 PBKDF2 as KDF). It's obvious which one of them you should use.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13358
>>13293
Detached header means the header is not in disk, therefore is impossible to decrypt it. A LUKS container needs to read an header to be decrypted (because of the salt per-key used to generate the master key).
A good way to do LUKS encryption is to put the header and kernel in a USB driver. That means your disk can only be decrypted if the USB is plugged.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13359
Just about anything but hardware based. You may cry foul for even saying it, but even Microsoft has extensive testing in comparison (although Bitlocker will default to hw encryption if your drive has it.. which is dumb imo).
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13410
>>13359
What's wrong with hardware based encryption?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13420
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13534
>>13358
>our disk can only be decrypted if the USB is plugged.
wow, i cant see that ever being a problem
like when my phone was stolen and i lost access to my goymail account.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13547
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13561
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13583
>>13410
Hardware based encryption is a joke. Cloudflare uses a custom rig of lava lamps (lavarand) to generate enough entropy in their software. Don't rely on some bitch ass hard drives for encryption with high entropy keys.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13609
>>13410
>blindly trusting closed source firmware
yeah every manufacturer implements encryption without flaws
https://www.tomshardware.com/news/crucial-samsung-ssd-encryption-bypassed,38025.html
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
No.13988
I once read an article warning that none of them are really that safe. If some contents of the container are known, the password can be found out. I'm not trying to discourage anyone from using the ones we have.Though, I think we need something else.
Something along the lines of creating a schema based on the password, then creating a password for each file and also renaming the encrypted file, maybe even changing the size. This would be slow and only useful for the home dir. Maybe files would only be decrypted after clicking on a placeholder file, which would be shown in the folder after using the password. That should at least be an option, because decrypting the whole disk would take some time.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.