public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Encrypted drive setup at login and locking on logout.
Date: Mon, 6 Jul 2020 07:02:01 -0400	[thread overview]
Message-ID: <CAGfcS_=KnT4YBti6H6EB8pfY9WLjayJyXG6tRuLv+epQsd4Bfg@mail.gmail.com> (raw)
In-Reply-To: <d4fd30c4-ce62-f84d-6995-86517b0acd5d@iinet.net.au>

On Mon, Jul 6, 2020 at 5:05 AM William Kenworthy <billk@iinet.net.au> wrote:
>
>  It also makes the point that any adminstrator will have access to the sticks data - not just the user (same as root under Linux).

This is just a fundamental issue about how computers work.  If you
attach your storage media to a computer, then potentially anybody who
had either physical access or administrative access to that computer
before you can read the storage media.  If it is encrypted and you
enter the decryption key into the computer, then that includes the
encrypted data too.

There are of course operating systems that try to make this sort of
thing harder, but there are many ways to bypass this sort of thing at
either the hardware or software level.  If you are plugging your USB
drive into a computer you don't control, you really have no way to
know what hardware or software it is using.  It could contain hardware
keyloggers, the OS might be tampered with, if the device is supposed
to prevent OS tampering you don't know if the hardware was swapped out
with hardware that doesn't prevent tampering, and so on.  This is why
things like hardware password/key managers often implement a
minimalistic serial/keyboard interface - to prevent the host they are
plugged into from actually being able to directly access their secure
storage.

I realize that you already said that this is your own hardware - I
just wanted to point out this fundamental limitation.  This is one of
the reasons that when I select laptops/tablets I tend to select ones
that are very light/portable - the more likely I am to have it with me
the less likely I am to need to access my private data from systems I
don't control.

-- 
Rich


  parent reply	other threads:[~2020-07-06 11:02 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-04  2:23 [gentoo-user] Encrypted drive setup at login and locking on logout Dale
2020-07-04  3:49 ` Francesco Turco
2020-07-04 13:01   ` Michael
2020-07-06  4:49 ` Dale
2020-07-06  5:24   ` William Kenworthy
2020-07-06  6:37     ` Dale
2020-07-06  9:05       ` William Kenworthy
2020-07-06  9:46         ` Dale
2020-07-06 10:17         ` Neil Bothwick
2020-07-06 11:02         ` Rich Freeman [this message]
2020-07-06  8:21   ` Neil Bothwick
2020-07-06  9:53     ` Dale
2020-07-06 10:19       ` Neil Bothwick

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGfcS_=KnT4YBti6H6EB8pfY9WLjayJyXG6tRuLv+epQsd4Bfg@mail.gmail.com' \
    --to=rich0@gentoo.org \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox