Full disk encryption with Ubuntu
Jeffrey Walton
noloader at gmail.com
Mon Jan 30 02:05:54 UTC 2023
On Sun, Jan 29, 2023 at 5:34 PM Hans via ubuntu-users
<ubuntu-users at lists.ubuntu.com> wrote:
> From: "Jared Norris" <jrnorris at gmail.com>
> [...]
> I'm trying to decide on the best approach, from what I can see the main options include
> 1 - hardware based SED - https://www.crucial.com/support/articles-faq-ssd/overview-hardware-encryption
> 2 - Ubuntu installer based LVM/LUKS - encryption option offered during installation
> 3 - Ubuntu software based full disk encryption - https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
>
> [...]
> What is the point of having all and everything encrypted?
> /home: ofcource, and perhaps /var, and /etc.
> But why all regular binaries?
If all binaries are encrypted using a FDE scheme, then it makes it
difficult for an attacker to replace a binary during an evil maid
attack.
A common attack vector when you have physical access to a machine is
to replace a binary like ls. The new ls will spawn a root console, and
then call the real ls command. The attacker then attaches to the new
terminal with root access.
That's why Microsoft's BitLocker uses FDE with a large block diffuser.
The diffuser is called the Elephant Diffuser, and it makes it more
difficult to replace a binary. Essentially, it turns CBC mode into a
wide block mode.
https://www.google.com/search?q=Niels+Ferguson+elephant+diffuser
Jeff
More information about the ubuntu-users
mailing list