From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 91687138359 for ; Mon, 6 Jul 2020 11:02:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0D870E0920; Mon, 6 Jul 2020 11:02:15 +0000 (UTC) Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AE2B7E0918 for ; Mon, 6 Jul 2020 11:02:14 +0000 (UTC) Received: by mail-ed1-f42.google.com with SMTP id e22so34343090edq.8 for ; Mon, 06 Jul 2020 04:02:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9rUM5M4uaoaGyfBbVq14lTSY6tRJ9VbCj+NO3+eATc8=; b=aNAQ4nzIyLmLe9u1uGo0vU0zTiQjgqM9QXRNCIHFbSooTPoki3mNMfmIUcAF3y13VP vE+6eiMZgM4mJmD+ZSiaPOhgc7HDLUoz4vzhmF22I/2Yxx4zhghsc45ixLi3Yy3tv9bx EMoaUedvnEL5eLxYSZyo05lla3xVBcRdxAYYnuediJ1lp2+7NjSoWmmEwaRGyGrFLWxp 5JYenP979NKXsC7gTJpw6HM0LG0jraY/+lo7vGgrwA77NjfkBC7L5w83OajX6bBKIN2C NB5aWtkxOd3Su8avxkTBm0GItSp/Aok5Y14wUwSmN/wO/6TGexYZjZc1nL4/5KpJP+mu OqHg== X-Gm-Message-State: AOAM533Q/gce8CoMYjQ+tlnLS6/VSbPAHjbpd5U4zgADhv9wVTCNsXGX HYfnC9f9njDEKMkQ1naNG6Gs6tqN4IJY6TKjQIAg1EBx X-Google-Smtp-Source: ABdhPJxIVSOUpHTNLZLaiPPbVjNPNdMk+ZvK6SSbJsyqyOe+5w0VoO64sG88ELQU5O2phUhzl05hzlNX4/BPcADlC/A= X-Received: by 2002:aa7:db53:: with SMTP id n19mr25907956edt.338.1594033333083; Mon, 06 Jul 2020 04:02:13 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: In-Reply-To: From: Rich Freeman Date: Mon, 6 Jul 2020 07:02:01 -0400 Message-ID: Subject: Re: [gentoo-user] Encrypted drive setup at login and locking on logout. To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 4dc76c2f-de53-4a8a-8645-dcd1f1b38979 X-Archives-Hash: be685e739b472ba3a8e1fe51201eb173 On Mon, Jul 6, 2020 at 5:05 AM William Kenworthy wrote: > > It also makes the point that any adminstrator will have access to the sticks data - not just the user (same as root under Linux). This is just a fundamental issue about how computers work. If you attach your storage media to a computer, then potentially anybody who had either physical access or administrative access to that computer before you can read the storage media. If it is encrypted and you enter the decryption key into the computer, then that includes the encrypted data too. There are of course operating systems that try to make this sort of thing harder, but there are many ways to bypass this sort of thing at either the hardware or software level. If you are plugging your USB drive into a computer you don't control, you really have no way to know what hardware or software it is using. It could contain hardware keyloggers, the OS might be tampered with, if the device is supposed to prevent OS tampering you don't know if the hardware was swapped out with hardware that doesn't prevent tampering, and so on. This is why things like hardware password/key managers often implement a minimalistic serial/keyboard interface - to prevent the host they are plugged into from actually being able to directly access their secure storage. I realize that you already said that this is your own hardware - I just wanted to point out this fundamental limitation. This is one of the reasons that when I select laptops/tablets I tend to select ones that are very light/portable - the more likely I am to have it with me the less likely I am to need to access my private data from systems I don't control. -- Rich