From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9DF6C1382C5 for ; Sun, 7 Jun 2020 00:47:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2E329E0AA5; Sun, 7 Jun 2020 00:47:25 +0000 (UTC) Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D7886E097B for ; Sun, 7 Jun 2020 00:47:24 +0000 (UTC) Received: by mail-wr1-x434.google.com with SMTP id y17so13652322wrn.11 for ; Sat, 06 Jun 2020 17:47:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to; bh=9xz0j4WvAPKWUMFV8rW8NnDNlI6yWUJ5KBSMsW0jaPE=; b=kn9cKGBXrjEoecsVqX2IEcgjT+jPzGVsfoFOiPjLvUOPO/VHipTK6DuMazJmFJSY5g PE4tuqBxEZoYJaZH78qesNfNH86nHEOW0eKLR5GAyR3VfaOcCI0mvJNXcL7SxE/oAePo C5/g+JoV3pBXGpPInwOOlX9qjGAXlqylv2EPw2SsrRAQdGxou1FgcMN9pRFg9W+LTHgK 9CTHKF44NWrHgb9y0NB7D0rB6MabfkbHPTAVdqcIK6f3nsC6Umz4zQE8Gt4vls7oztqG nLs1h2dkcJFQAxpOKegf0gW4lHeZ8Ln6paLPQH1NVb3Bz4fhJTesrPCwTzDnRuykhSch lZvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to; bh=9xz0j4WvAPKWUMFV8rW8NnDNlI6yWUJ5KBSMsW0jaPE=; b=gbQE8HD+R0f9Mj56yXDvX8FNuJjYqiWSpPg/6pyG7n82OfH4nygAQVyibjX1PTcsH8 EuDHaA8TN30fz/8hbSud/6OcZeLiXUFAXpQNGFYRNfN4Bk0tFC/dk5PYefFCMciJGrw0 KqqpAfVgSLyxdwhx2LN/YWjm4cP0n7A27Fy/BknuAEmnza2XuNjswRw5rCPDnE7/rJSJ qYRoahvmkOtL9f98YHTlaqw8cX1HljXVuskfSySRsszPYBrbpDVfzj99g7ElNbLvEk70 Wt0Cq5QpbcAlR+4TROcwVqN9fj6pkhd9to+iiWlE8SPLEBwp+LYrD4BayNhFkqtWQ6gO Uc8w== X-Gm-Message-State: AOAM532SXnY8ZYDIqGpOkt8wrOnzLu0ERsxf4lKgUAdkddJ+W1K+5PwK XVzYbO9GO+BqvJFoU4AGCIVP8oNn6vI= X-Google-Smtp-Source: ABdhPJwK4tJsWEmVJwBnFJ3n5A51AHnrp1mjTICClTTW5QVMdW9/Um0cSfI4PQseh1RWJFDE3MyC2A== X-Received: by 2002:a5d:4312:: with SMTP id h18mr16488022wrq.393.1591490842879; Sat, 06 Jun 2020 17:47:22 -0700 (PDT) Received: from [192.168.0.64] (cpc148898-sgyl44-2-0-cust897.18-2.cable.virginm.net. [82.34.183.130]) by smtp.gmail.com with ESMTPSA id y80sm18892628wmc.34.2020.06.06.17.47.21 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 06 Jun 2020 17:47:21 -0700 (PDT) Subject: Re: [gentoo-user] Encrypting a hard drive's data. Best method. To: gentoo-user@lists.gentoo.org References: <7e55092b-1914-da09-cb33-25aea63d2b22@gmail.com> <6a9ae564-14be-aa10-e0d3-d50fd82e3e3b@gmail.com> From: Victor Ivanov Autocrypt: addr=vic.m.ivanov@gmail.com; keydata= mQINBF3g/JMBEAC4yM5z5iFHFBU8Zf92ZRB+6uH3ipSWXBYpP+23cdjXO0CFYnUykGSwzYb4 y0/nL1r5FDiNyciRb00QorIHqgi32yzTxApDEb12Bt0xOp8fbSIgEQcwU63Ig7IxQ4PRT5Wd dXdwvtU2ZntcrtDLaRM7ukjqlistrZQGWfHfuGW/7clD8huRVGywHSxFlkupfwVPzxjTQt1T KUs0zsbl4pmXgXfCtQT1t5I9XgJ3gjsh1k0iHaoTubdJwEhukeTNMOIDQACU17Bw/M0ZB70x TRpweOmXOGvEgX9JJQsNnllfo+Uq9vZ2YARc/T576YPNDbeMT6ili/Td81r7gjYGHF7vHaGr 8nWl6qp1/saqMaIlRrg+cpbmMx/p6NrbunYUq4uG73cYE4vW7IesvPqyFNRpYOpO2k482BJn WjsUlN7WqSMvBSVelxOzAAliieUbVft6YfqrLcm17W0fsxIse3i19u/qYP1eWIzHYNy+4rsr S8MIvHlEdL+2cvyPDzKv57G5Vo1sfBp8tkAcBEbYBVM8YLm6UU5nPFJxhy4Hly0MzYaPfsuy Le4D3VcjdLtXRVqISNnpgIjqnnPNuNcQf2e0olEKyv34I1Xd/th/2OozLdmSzaooyzI1fs1Q wbUC2Tpmi5oxlCXOw3HwJ/V/GhOGYtr9lA2AaouoqGf9xKCZxwARAQABtCZWaWN0b3IgSXZh bm92IDx2aWMubS5pdmFub3ZAZ21haWwuY29tPokCVgQTAQoAQAIbAQUJAeEzgAIeAQIXgAIZ ARYhBIsM+jNKfukNfT85Q22UeoIMUN1ZBQJd4P/nBAsJCAcFFQoJCAsFFgIDAQAACgkQbZR6 ggxQ3VnWYRAAlXiNLrRWlDn5I1sm753dxjaN4Yzlfx3wS1NdLM7/v1A44R3wCEzKOiB9oP6Y OqCJOxDeFnWsFZNVM2NcAvgF7py0Wo9/k2Kj4ZG4LCnrYLHlYI6lks0kqubiIKBdeCMpgR2/ AuU0xjUgtGur/TH6VIL5omA0NK4psPnUe/Lomfim6J18++oROhXoekZ3TkHwdt2aB7Cl1iOf N5scJWvkG+vapmtSN5A3vwFda+Uf1PG8SgZOtlmnlrLGUnvPcUKtcCO6m7dZZPfboY9jusG9 IOCZxrexHYbo0zqSaKoaU0TBqFmVO+9jddqC5japWQnuw5THQ/ehC4UJrWovYEeJtpo8lAsE gP0CImo5p5zM7JmntvXO5N9R3hnX1GQnBU0kKL93uQj6pTeY5S7SSdO8nEKGQzuulB4vRMpS RWlSA+g5Z3NLKnslq1gs9f4mtooGXj/6SShKE+lLVPpPGfkUElhzGfkLMgH/pGRsoFUFDzbG YXDxCxat8v9OCo3hpR9ouKWoxj1jDRoc98AufN22giInaWYtn9CBWfNuamvXlXgk9/oSI9fQ hWBKs0t8xdXsmdFEakrR6DVjuPKGGe9Wm2aRd4rdI8pQanNTW3SmIS5nMvbPJ4f1z5N6joc1 BIcNv4VWz8nZApPpCsw/TZMcqxOkxaDhi1Tgf06LMWIN+6S5Ag0EXeD8tAEQAPWvRL9eauw+ GTBmhmUJ6KY2IjxJi67VEAFar+CZwe8py3UI5CIoZEBjifYEC43hV6i34VrE3CBu6uVmjF69 AeBAd93K1kXvmXcCAaxbzh3xLr7OynR5fc0rliJCtqQ+l1PHbcH8zPcgNX1P57wnXLBrd6H7 p/Zfpn1uVlVwzZG4qtOuT833EbdvFhu1NvYrzwoY4rTgUqeZsNXkaVI9g6fp2GsMV3lHNzI0 TuRfr3ATtkHIvgkr9uLDYiFexu1hzlsVfckTn0XP21CjWOtMB/gbkoue2CGyFcGCstsx0aeY t3JCnWdv93LRNRm30VQmOaxrCBRCCAQWSIzuW8s290iWv7jTZYj1V3QLauHBybUSVhwiqpRq SnGEkFdEnlKMGo2LwodyMRou1iOxP0MSXJCrGdDz2uaPMC6ZrTH8ExZIdmWzpI3bMosAK9A1 0Vnmz2GbmZMFWS1Gkel0adICH5sQiqjRTElv6s35f81B+bft095zfzU72Nur0aj418RKucra WyJIE4sNgkNFTKe+61nw2XcX+n2Tp/qXnctc2FC3Qxjp0I96Ef/dV0OXa1hkwCfiJqRAe7cG EIhazh74y1DjjXyzSNl1CKOmeYjE4tUcjQ0mRPJTkTsarTUYBev4yZtYYQKFsTpPVT2GpL4g /9Rzg1JGPxWJwJCz/QUwNTGXABEBAAGJAjwEGAEKACYWIQSLDPozSn7pDX0/OUNtlHqCDFDd WQUCXeD8tAIbDAUJAeEzgAAKCRBtlHqCDFDdWTTND/9VRrwI13C4UC2tZx0DCVvFKqGsyd7h nfsGMnM1hcOaUUyRUrpaoTYIc59mVuTnIg5b1LuUkvFFm50uq5pK2E9VxtAi3T/qlTIoe3zX pavMMOj67p3+fWp1zz+UBoUvZEzsYtOzhAEsBSEoUxDY5bxrPlj5KGLXm6YjWvlo4jjbwaAk N113TP0koaIWbCvaz+GNVHuZ0/s9lQwydIpbGdpZ4KuDohA7SadJtV6Z9aPYo9sybY5iX/FT 6/0AF2IvBfuiVbLpIgsI/aYEA5ROIHe2DqzWtRUOfydSPUKb+4U+NzgVwpOMAc3p55kv3V3h HSdgnebVPlLLCtRgAVnYAyo99MOAeXcmM2PRn5pSwX/etId4uPXA9N+c08F9vl2cpqg2oGaO jsd4ZFmhd//g7nUpNDzqZ5h7bx7ztgn/srjO2BfOF53HrzjYjDOqE1mUfTTQhIxweW+3+vRo AgDNJgkMHYcDBOabzqwliWEATlY8TBsCi7ATajX1wk8ZP4VvtIHFMjNc//MumZb5VEe/VwmC l1SNCeVioy3Smm76NApPT7EEvrEtoKEeJXKoBJwoErkQkuccEkGpkhuaDupeXcrm4cqknHLB b106Qm69jTl/8xRqLreSxTz/vPxEAFdf1S0XXwXd3RHHi2DBYdQ/dlHzJF5aWtOr+WADz/iT 07V84bkCDQRd4PzOARAAxf3teIWCgoqYmwfEsZgDoXn8LIz8eL93D2LBnW4tikQUESFvF1V7 +BASk8cfbwgq2Rw+M87ITBZWcQ2pRcaImZc0MBP1Yb5TrAd6YuImQfHY2rkdw4B2NI4PCx5i mEdtHF0fAc7kOp0slNHrg3NVKj+1YIz3YMaHnSxPxe3c0kcDRyGdgfpJXsT6XeMqana/QGgR zo/i1NFeOcAVChwD/qCUTSVJcIeFCSah5XXUPrxdeEi8YUl7WlXtb+enOof/2LCz3dYG6vOn Hmn6M+Tw7VowLtC3plg6NmtM+9S3905DBxg2tFYtoE6RfzDmIJOoFZH8CqH920nQmtE7jN7R gcuMV/+RszfyT6q12XAS+/R/no2+MuaEtFKazfP7IYA3KHLsGzxlex3LJKPQLiKSFi68Jbgl yJXskxwCuJN5YLClFlnkVmXuuZ7DVk5dTTnc7eTVSaU09fAy7llz/Iva4KVpH5jxl8qJYdkG WiJkcBJ9Zk+oNhuoKwMc1jOveaRzzfBKU4NGCMYiCxtiGUXfH8EgDryUxcaUE3EmcA/RGUM1 hL81awOOQXR4mzhjyAzakFiJsu+qOv7R8qyl4aJ5ZVk4mDV8f0Ds5DlWngf6gTkl/AsDIuvE 5DpeG3H4IBCHCmjoaWNHouI6DdWkA42GpvFpEkcr6QT8yxceqsD+2ZMAEQEAAYkEcgQYAQoA JhYhBIsM+jNKfukNfT85Q22UeoIMUN1ZBQJd4PzOAhsCBQkB4TOAAkAJEG2UeoIMUN1ZwXQg BBkBCgAdFiEEKFZblUJabdsjGSQvxx0QR+MZjnMFAl3g/M4ACgkQxx0QR+MZjnOHBw//e2BK d+FPZihrgdB1dpBGS5C16v+GxC5VmIQ3ldifxXch+mLE1qQ6b3PINdkQsd1WKZ7fPiHyFoYq 0DA0LZZ4LIBI61MauWO5b7j8OEZR/ik/+dV+hvoxnBnTtVd2eBQoKp2GNBw7GiLmt6jr/uW7 LY2uD+zQgV+L38MfGEkwd4+keZIRR3+jl69/jvGHub9SOKJ07GyfDhaXm83GufXCdw0Wli8f pqLGL06pfmSZFiQ3LtPQqB+X5DpAljbqGV661RZR1DiQa6NlUcqqVRw1pytWN29WzbNyKz3W zu7jeTRd1M+XtBoY6g69cCeu4ITr7nFNyckoKu9djZLIfuaLRYUeWxgM9eYezmz1N1S3Y+E6 QwAaWdajioSZeWvsTJU1rMCTgWlJSQlYog0LlbKskccvVDilV9cE4Wq05r3G7bkt4q/uGuxl jCtJzLp0FewOID9cyMqLKDwQ4LnKKjTtNDX7O4B/SWJSncErFJcVkTQQAQix1FCuXfjFbOmr LCDigES5hiRA3Cge+bhwYn/Q+nQCvF+cE9Ohl0pf4RPZ+78kwKzeavnoUiDJ6Vbgqag/OsdE w2VnxWldmWbtFVGSHh7P7Kqz4NwNyQFasm6jZypE3kV9TbTaGcWQlq1fLRIlWsARvXYAKE/c LaGW0oZNBSm/CpGgXxhmkeyosmggNRQRoA/7BoMl42Sn46DfTMhH0TwptsAAFjX488nBhPQL bqxVzq5yO52CTeRafMmtx873JMlh7u14pP59AqUeYgUqp9Wyg8erLV6CKa4Xll5cj22w9OhH xJ0G8cxPIbZGrc/8/z4Mr6AHfT8DgZ2Ez5siU6IuygM7YTMQjzGGJPqDWcQrf/37NuVd+sFt oj008BxqpBD8kQ7+jV5rR/o6FJ2CGebjouJTaTcPIIdsga0ych1RYiTioh1OPuj34YYf6I+B xqJGCd084m/EdP6zDvJVLDxkOMuMGpVSwWrDQcDWBSd1/AfzQmyC9tsYLoxrFYYDNPXp/QxS LT+yz0T2p2JRuZDMGCyLGRO3YLQATJQgPLkpHrZR5coSliuVeUG68iX/55h/dop613g1rdzI seOkJqSC02DVP7kF2E7QHDMxLpCDnsmomlW7uul/d+yF6oDjCuLSAlngVBVkVwl6NIrcSkuh em9Y0+2X9tAVTAdc0V2Ctt7p6stGEBx7RFEimpwKubXpUQ/OReiTr2IxpMj6o4lFoHKL9heA C3YTpJnOGV00jLPhjOgEqWxLmnRmM8E3wtgLGfItoAjDN8U/qdNVoRpWfFO/rPOEugvT31rE MTVdmb4EJtRvDHLGUQ6JeHMm/ftBJokS2bO8HDjslCXQ02I3wl/rZzbKQisstJwRqVM5TJk= Message-ID: <7e2ee8c9-7956-39a4-e31b-6a3f40d08da9@gmail.com> Date: Sun, 7 Jun 2020 01:47:17 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Lb4X2QVJleo1ojkNH7T4okCvQ7vyCIsfc" X-Archives-Salt: 42788f65-e2a3-45e8-bb64-6b891d5b907c X-Archives-Hash: 0d1d0e4c02c03a78dc02d0a3a0a05c48 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Lb4X2QVJleo1ojkNH7T4okCvQ7vyCIsfc Content-Type: multipart/mixed; boundary="cT2Zih8Ir0FPWY9LpGwvgQMGrmNEbZ6Hq" --cT2Zih8Ir0FPWY9LpGwvgQMGrmNEbZ6Hq Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 06/06/2020 21:12, Rich Freeman wrote: > My point remains: > > The header is as secure as the disk. If the disk is secure against > brute-force, then so is the header. I never said otherwise. This was, in fact, explicitly stated in my concluding remarks of my original post where I say "If using a password, a strong password is a must." It was also emphasised once more in my response to your previous email, towards the end. But it also doesn't mean that one might not want to take additional preemptive steps following an attack, depending on the circumstances surrounding the attack. On 06/06/2020 21:12, Rich Freeman wrote: > Maybe we're miscommunicating, but it seems like you're moving the > goalposts here. > ... > Your original point was, "The problem here is that a leaked header > immediately means a compromised volume." I believe we're on the same page and it's indeed due to miscommunication and I suspect this is where the main point of miscommunication lies. You're taking my statement out of context. No doubt, I most certainly could have phrased this part better and made it clearer. It may not have been obvious but that sentence was aimed specifically in the context where a weak password is used or, especially, when a password has been compromised and how being able to change said password might have little effect. In which case the point still stands - when a password is compromised, there is a possibility that changing said password may not necessarily be the end of the matter as the (old) header may or may not have been leaked too either as part of the same or a previous attack - not necessarily involving physical access. On 06/06/2020 21:12, Rich Freeman wrote: > The whole reason you're using encryption is to > protect the data if your disk is stolen/etc. If they steal the disk > they get the header too. So, if a leaked header means that your > volume is compromised, then a stolen disk does so as well, which means > your encryption is worthless. This is probably another point of confusion. You make a strong case about a stolen drive, but this was never a case I specifically argued about. If the whole drive itself is stolen then there's little to discuss as there's nothing that can be done post facto to mitigate the circumstances, so any points raised re a leaked header or a change of password can be thrown out of the window and the only hope in such a scenario is that the password used is strong enough to safe guard against guessing attacks. So this case is largely irrelevant re some of the points I made. Perhaps it seems that the goalpost moves because I never set one - my original email was a _general discussion_ on the different considerations that one might want to have if using a password and how the ability to change a password may lead to a false sense of security. Clearly, at the end of the day how exactly all these points fit together is dependent on the threat model and what scenarios are more and less likely to happen, which I also pointed out but perhaps not as clearly as I should have. And so is the analysis, assessment of implications, and steps to take following an attack. The only time I referred to non-password methods (such as detached header) was in response to your previous email re header security. Retrospectively, I admit I too may have taken your point into a different, more general direction that takes the discussion beyond the scope of just passwords. For which I'm certainly liable. I hope this clarifies the matter. Best Regards, Victor --cT2Zih8Ir0FPWY9LpGwvgQMGrmNEbZ6Hq-- --Lb4X2QVJleo1ojkNH7T4okCvQ7vyCIsfc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKFZblUJabdsjGSQvxx0QR+MZjnMFAl7cORUACgkQxx0QR+MZ jnOZJw/9GEfK2o1NmYyJFRdgqB8XqpVj+7j7IqUZ0yznsDssMxLl3XQU8nyAgL7v mIe7lHZoMsovNB7nX3zpNTCnkcGWPKnJr7AbE4ecCPzvX5U7aihvOKxvmC5F0N+0 iqIypkQX/a0aKEYU+MTky0j8qb/o2fHH+FosZxR/+3/vBr86R+PSnXxYzuhJWoU3 zcPk37DjVAVeZgPV0XcoBuGdeIx9TSe9ZB6FA1e79pjOHb8JrPMX0Rd4pjWrciLN 3b3FfWE4pyxG2oRHvQnz4fJ61JGnbsl1Xo11vf3+rT3iSSD7uSLEdYGtcB1vraHM HvyB0i00ZmKACo992L/T+diabL5ZGECBkdQWAyq+lGa6CF+i6374OjikSGOqsO5L laChrY5SwEuzpsoTd5Kt3/rXeB6rWuwuctzAMgDlb2J7hnRSXS5/r30Gker1nATo Q2Se1diV+6WyiliZXQmPBUQbllD4Wy2+44S8MljAQUDr4MG0agaCQamhohkathgP Ru7FEPIoG7U7qXrCq0gLHkiZWnigpClNYFpwxEYlzlDatgcrP2LL40nimMoCa6HC B3jE+zoOOEij0TTfll77dkA9hZ4Q9TTR35KCEjL+0d/dtsqy9PciHEg5/yYSVE4A I2HsKqumwCfZDz9ob9Vap9wzp8s7XJV48qvH+uQtp1J99MW3pHE= =Vu6o -----END PGP SIGNATURE----- --Lb4X2QVJleo1ojkNH7T4okCvQ7vyCIsfc--