From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <htd@fancy-poultry.org>
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Fri,  6 Nov 2009 19:27:58 +0100 (CET)
Date: Fri, 6 Nov 2009 19:27:57 +0100
From: Heinz Diehl <htd@fancy-poultry.org>
Message-ID: <20091106182757.GA9497@fancy-poultry.org>
References: <20091106172819.D11C97BD6E@ws5-10.us4.outblaze.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20091106172819.D11C97BD6E@ws5-10.us4.outblaze.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dm-crypt] Crack a dm-LUKS partition or harddisk
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 06.11.2009, Si St wrote:=20

> Is the security problems as to e.g. watermarks also affecting gnuPG? We=
ll, I would think so if the ECB is used

GnuPG uses CFB mode of operation (as defined in the OpenPGP standard),
it's a streaming version of CBC and is therefore not vulnerable to
watermarking. Please folks, correct me if I'm wrong.

> I am a doctor and transfers daily info of thousands of patients every d=
ay on a USB-stick.=20
> Before I used to plaintextcopy them all to the stick, but now I always =
encrypts it as a tar-file with gpg.=20
> I transfer the journals from my office machine to home machines....

In my opinion, you're better off using LUKS/dmcrypt on the USB-stick. In
addition, the whole system should be encrypted as well, to handle leaking
of the passphrase/key.

> The office machine is an old SuSE 7.3 !! with hardware from the year of=
 the Lord 2001.
> But this machine is NOT configured to internet - it is only a stand alo=
ne machine.

This machine needs to be updated. A whole lot of things changed since 200=
1.

> Was sagst du =FCber diese Sache, mein lieber Heinz? Stubborness and rem=
nant Newbie, maybe.
=20
I would update / replace the old machine with a new one, install some
recent Linux distribution on it, with encrypted filesystems (incl.
root/swap), and prepare the USB stick with a LUKS/dmcrypt formatted
partition. Newer Linux kernels also provide a bunch of modes of operation
which are not vulnerable to watermarking (XTS...).

Alternatively, you could use an SSH tunnel using autorization via RSA-key=
=20
from/to your home/workingplace machine and drop carrying sensitive data o=
n your memory stick.