From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Wed, 8 Nov 2017 19:45:36 +0100 (CET) Received: from localhost ([88.90.241.216]) by mrelayeu.kundenserver.de (mreue004 [212.227.15.167]) with ESMTPSA (Nemesis) id 0MLkF5-1eBgPE0ooV-000tHI for ; Wed, 08 Nov 2017 19:45:35 +0100 Date: Wed, 8 Nov 2017 19:45:34 +0100 From: Heinz Diehl Message-ID: <20171108184534.GA2941@fritha.org> References: <20171108183632.86d664bf5f369380a2d4fb88@bluenox07.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20171108183632.86d664bf5f369380a2d4fb88@bluenox07.de> Subject: Re: [dm-crypt] Prepare SSD for encrypted linux install List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On 08.11.2017, Merlin B=FCge wrote:=20 > To avoid information leakage about the storage device's usage patterns, > it is generally recommended to fill the entire device with random data > before setting up encryption. It is also recommended to issue an 'ATA > secure erase' to SSDs before using it to avoid performance issues. As far as I know (and the fine people here on the list will surely correct me if I'm wrong), there is no need to do anything else than partitioning your SSD and establish a crypto device via device mapper. Of course, somebody with access to your harddisk will be able to identify which blocks are real data and which are not, but it won't have any impact on the security of our data unless the underlying device mapper has a major bug or the crypto is broken. Most of the "security flaws" are more of an academic nature. Yes, TRIM does make it possible to gather data on patterns of disk usage. It may also be possible to identify (or guess) the underlying filesystem. But does this ultimately lead to data access? Most probably not. Wear levelling is often discussed to be a problem, because old data may linger somewhere in the dark depth of memory cells. As long as you don't change the password/keyslot and a password with enough entropy is used, I can see no real danger. Most of the encrypted data is being "decrypted" because of keyloggers, physical access to the machine while running, trojans, viruses and weak passwords - and not because of using an SSD. Attacking the crypto itself is plain stupid, unless you have found the holy grail of mathematics. Cheers, Heinz =20