* [dm-crypt] Is erasing hard disk drive mandatory? @ 2014-05-29 13:33 Kenny Lake 2014-05-29 20:13 ` Arno Wagner 2014-05-30 10:02 ` Andrew 0 siblings, 2 replies; 17+ messages in thread From: Kenny Lake @ 2014-05-29 13:33 UTC (permalink / raw) To: dm-crypt@saout.de [-- Attachment #1: Type: text/plain, Size: 227 bytes --] If I want to create an encrypted volume, over a disk drive where there were no sensible data or there was another encrypted volume, can i skip the erasing procedure or will compromise the security of the new encrypted volume? [-- Attachment #2: Type: text/html, Size: 458 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-29 13:33 [dm-crypt] Is erasing hard disk drive mandatory? Kenny Lake @ 2014-05-29 20:13 ` Arno Wagner 2014-05-30 13:32 ` Stephen Cousins 2014-05-30 10:02 ` Andrew 1 sibling, 1 reply; 17+ messages in thread From: Arno Wagner @ 2014-05-29 20:13 UTC (permalink / raw) To: dm-crypt First, I presume this is about wiping the raw volume with cryptographically striong randomness, or wriping the new encrypted volume with anything (e.g. zeros). These two come down to the same effect on the raw volume. Erasing is not recommended to remove any data that was there before (if you want that, you must erase, but it is a separate thing). Erasing is recommended to make it non-transparent where data was written in the encrypted volume. If you care, then you need to erase. Arno On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > If I want to create an encrypted volume, over a disk drive where there > were no sensible data or there was another encrypted volume, can i skip > the erasing procedure or will compromise the security of the new encrypted > volume? > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-29 20:13 ` Arno Wagner @ 2014-05-30 13:32 ` Stephen Cousins 2014-05-30 13:42 ` Arno Wagner 0 siblings, 1 reply; 17+ messages in thread From: Stephen Cousins @ 2014-05-30 13:32 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 2229 bytes --] I've been curious about the random data step for a while. I created an array made up of dm-crypted disks but I didn't do this step. The disks did have some data on them but not necessarily random data. What is the functional purpose of writing random data to the disk prior to encrypting them? Does the encryption process use existing data from the disk as part of it's encryption method? What would happen if dm-crypt was used on a completely blank disk? Thanks, Steve On Thu, May 29, 2014 at 4:13 PM, Arno Wagner <arno@wagner.name> wrote: > First, I presume this is about wiping the raw volume with > cryptographically striong randomness, or wriping the new > encrypted volume with anything (e.g. zeros). These two come > down to the same effect on the raw volume. > > Erasing is not recommended to remove any data that was there > before (if you want that, you must erase, but it is a separate > thing). Erasing is recommended to make it non-transparent where > data was written in the encrypted volume. If you care, then you > need to erase. > > Arno > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > If I want to create an encrypted volume, over a disk drive where there > > were no sensible data or there was another encrypted volume, can i skip > > the erasing procedure or will compromise the security of the new > encrypted > > volume? > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. - Plato > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu [-- Attachment #2: Type: text/html, Size: 4023 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 13:32 ` Stephen Cousins @ 2014-05-30 13:42 ` Arno Wagner 2014-05-30 13:52 ` Stephen Cousins 0 siblings, 1 reply; 17+ messages in thread From: Arno Wagner @ 2014-05-30 13:42 UTC (permalink / raw) To: dm-crypt If you put an encrypted volume on a blank disk, anybody getting access to the raw disk can tell where (whcih secotrs) data was written to. That can represent a hidden channel that leaks information. Arno On Fri, May 30, 2014 at 15:32:38 CEST, Stephen Cousins wrote: > I've been curious about the random data step for a while. I created an > array made up of dm-crypted disks but I didn't do this step. The disks did > have some data on them but not necessarily random data. What is the > functional purpose of writing random data to the disk prior to encrypting > them? Does the encryption process use existing data from the disk as part > of it's encryption method? What would happen if dm-crypt was used on a > completely blank disk? > > Thanks, > > Steve > > > On Thu, May 29, 2014 at 4:13 PM, Arno Wagner <arno@wagner.name> wrote: > > > First, I presume this is about wiping the raw volume with > > cryptographically striong randomness, or wriping the new > > encrypted volume with anything (e.g. zeros). These two come > > down to the same effect on the raw volume. > > > > Erasing is not recommended to remove any data that was there > > before (if you want that, you must erase, but it is a separate > > thing). Erasing is recommended to make it non-transparent where > > data was written in the encrypted volume. If you care, then you > > need to erase. > > > > Arno > > > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > > If I want to create an encrypted volume, over a disk drive where there > > > were no sensible data or there was another encrypted volume, can i skip > > > the erasing procedure or will compromise the security of the new > > encrypted > > > volume? > > > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > > ---- > > A good decision is based on knowledge and not on numbers. - Plato > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > ________________________________________________________________ > Steve Cousins Supercomputer Engineer/Administrator > Advanced Computing Group University of Maine System > 244 Neville Hall (UMS Data Center) (207) 561-3574 > Orono ME 04469 steve.cousins at maine.edu > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 13:42 ` Arno Wagner @ 2014-05-30 13:52 ` Stephen Cousins 2014-05-30 15:07 ` Heinz Diehl 0 siblings, 1 reply; 17+ messages in thread From: Stephen Cousins @ 2014-05-30 13:52 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 3968 bytes --] I see. So it has nothing to do with how well the data is encrypted. Just another level of protection as far as the scale of work someone would have to try to crack it if it looked like the whole disk was encrypted vs. just the actual data that had been written. Thanks, Steve On Fri, May 30, 2014 at 9:42 AM, Arno Wagner <arno@wagner.name> wrote: > If you put an encrypted volume on a blank disk, anybody getting > access to the raw disk can tell where (whcih secotrs) data was > written to. That can represent a hidden channel that leaks > information. > > Arno > > On Fri, May 30, 2014 at 15:32:38 CEST, Stephen Cousins wrote: > > I've been curious about the random data step for a while. I created an > > array made up of dm-crypted disks but I didn't do this step. The disks > did > > have some data on them but not necessarily random data. What is the > > functional purpose of writing random data to the disk prior to encrypting > > them? Does the encryption process use existing data from the disk as part > > of it's encryption method? What would happen if dm-crypt was used on a > > completely blank disk? > > > > Thanks, > > > > Steve > > > > > > On Thu, May 29, 2014 at 4:13 PM, Arno Wagner <arno@wagner.name> wrote: > > > > > First, I presume this is about wiping the raw volume with > > > cryptographically striong randomness, or wriping the new > > > encrypted volume with anything (e.g. zeros). These two come > > > down to the same effect on the raw volume. > > > > > > Erasing is not recommended to remove any data that was there > > > before (if you want that, you must erase, but it is a separate > > > thing). Erasing is recommended to make it non-transparent where > > > data was written in the encrypted volume. If you care, then you > > > need to erase. > > > > > > Arno > > > > > > On Thu, May 29, 2014 at 15:33:23 CEST, Kenny Lake wrote: > > > > If I want to create an encrypted volume, over a disk drive where > there > > > > were no sensible data or there was another encrypted volume, can i > skip > > > > the erasing procedure or will compromise the security of the new > > > encrypted > > > > volume? > > > > > > > _______________________________________________ > > > > dm-crypt mailing list > > > > dm-crypt@saout.de > > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > > > -- > > > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: > arno@wagner.name > > > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > > > ---- > > > A good decision is based on knowledge and not on numbers. - Plato > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > > > > > > -- > > ________________________________________________________________ > > Steve Cousins Supercomputer Engineer/Administrator > > Advanced Computing Group University of Maine System > > 244 Neville Hall (UMS Data Center) (207) 561-3574 > > Orono ME 04469 steve.cousins at maine.edu > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. - Plato > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu [-- Attachment #2: Type: text/html, Size: 6678 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 13:52 ` Stephen Cousins @ 2014-05-30 15:07 ` Heinz Diehl 2014-05-30 15:17 ` Stephen Cousins 0 siblings, 1 reply; 17+ messages in thread From: Heinz Diehl @ 2014-05-30 15:07 UTC (permalink / raw) To: dm-crypt On 30.05.2014, Stephen Cousins wrote: > I see. So it has nothing to do with how well the data is encrypted. Just > another level of protection.. Maybe. I think the practical effects are negligible. With the first minutes of use of such a disk, temporary files get written to it, files get deleted, new ones get written and old stuff gets overwritten. If the encryption is secure, all that doesn't really matter. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 15:07 ` Heinz Diehl @ 2014-05-30 15:17 ` Stephen Cousins 2014-05-30 15:58 ` Thomas Bastiani 2014-05-30 18:08 ` Arno Wagner 0 siblings, 2 replies; 17+ messages in thread From: Stephen Cousins @ 2014-05-30 15:17 UTC (permalink / raw) To: Heinz Diehl; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 1278 bytes --] Hi Heinz, I agree. The field, by it's very nature, has varying levels of paranoia (rightly so as we are seeing these days) and this level is more than what I need for my purposes so I can save some time by not having to send random data to all of the drives during the build process. Steve On Fri, May 30, 2014 at 11:07 AM, Heinz Diehl <htd@fancy-poultry.org> wrote: > On 30.05.2014, Stephen Cousins wrote: > > > I see. So it has nothing to do with how well the data is encrypted. Just > > another level of protection.. > > Maybe. I think the practical effects are negligible. With the first > minutes of use of such a disk, temporary files get written to it, > files get deleted, new ones get written and old stuff gets > overwritten. If the encryption is secure, all that doesn't really > matter. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- ________________________________________________________________ Steve Cousins Supercomputer Engineer/Administrator Advanced Computing Group University of Maine System 244 Neville Hall (UMS Data Center) (207) 561-3574 Orono ME 04469 steve.cousins at maine.edu [-- Attachment #2: Type: text/html, Size: 2815 bytes --] ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 15:17 ` Stephen Cousins @ 2014-05-30 15:58 ` Thomas Bastiani 2014-05-30 17:10 ` Heinz Diehl 2014-05-30 18:08 ` Arno Wagner 1 sibling, 1 reply; 17+ messages in thread From: Thomas Bastiani @ 2014-05-30 15:58 UTC (permalink / raw) To: Stephen Cousins; +Cc: dm-crypt On 05/30/14 16:17, Stephen Cousins wrote: > Hi Heinz, > > I agree. The field, by it's very nature, has varying levels of paranoia > (rightly so as we are seeing these days) and this level is more than what I > need for my purposes so I can save some time by not having to send random > data to all of the drives during the build process. > > Steve > I tend to do the erase pass because it doesn't have a performance cost on hard drives. On SSD's though, this would prevent TRIM from functioning properly and make the SSD appear as full to the controller which would hurt performance. So I tend to not erase SSDs with random data before encryption. The other thing is if you TRIM NAND cells on your SSD their contents should be unrecoverable as opposed to standard hard-drives. -- Thomas ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 15:58 ` Thomas Bastiani @ 2014-05-30 17:10 ` Heinz Diehl 2014-05-30 17:24 ` Thomas Bastiani 0 siblings, 1 reply; 17+ messages in thread From: Heinz Diehl @ 2014-05-30 17:10 UTC (permalink / raw) To: dm-crypt On 30.05.2014, Thomas Bastiani wrote: > On SSD's though, this would prevent TRIM from functioning properly > and make the SSD appear as full to the controller which would > hurt performance. If you e.g. do a "dd if=/dev/urandom of=bigfile" to a SSD drive until the partition is fully overwritten, simply deleting "bigfile" followed by a "fstrim" should restore performance to the same level as is was before. What am I missing? ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 17:10 ` Heinz Diehl @ 2014-05-30 17:24 ` Thomas Bastiani 2014-05-30 17:47 ` Heinz Diehl 0 siblings, 1 reply; 17+ messages in thread From: Thomas Bastiani @ 2014-05-30 17:24 UTC (permalink / raw) To: dm-crypt On 05/30/14 18:10, Heinz Diehl wrote: > On 30.05.2014, Thomas Bastiani wrote: > >> On SSD's though, this would prevent TRIM from functioning properly >> and make the SSD appear as full to the controller which would >> hurt performance. > > If you e.g. do a "dd if=/dev/urandom of=bigfile" to a SSD drive > until the partition is fully overwritten, simply deleting "bigfile" > followed by a "fstrim" should restore performance to the same level as > is was before. What am I missing? > Your first step is to dd if=/dev/urandom of=/dev/sd<x> or an equivalent operation. This is before you even create an encrypted container and definitely below your file system... It may be that files that you create and then delete will trigger a TRIM operation if dm-crypt (and eventually LVM) are configured to pass TRIM through. But the rest of your "securely erased" drive is still not TRIM-ed. And also it doesn't make sense to configure dm-crypt to pass TRIM (with --allow-discards) if you've written random data to your drive at creation time because then you introduce another different type of side-channel leak. Does that make sense? -- Thomas ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 17:24 ` Thomas Bastiani @ 2014-05-30 17:47 ` Heinz Diehl 2014-05-30 17:57 ` Thomas Bastiani 0 siblings, 1 reply; 17+ messages in thread From: Heinz Diehl @ 2014-05-30 17:47 UTC (permalink / raw) To: dm-crypt On 30.05.2014, Thomas Bastiani wrote: > It may be that files that you create and then delete will trigger > a TRIM operation if dm-crypt (and > eventually LVM) are configured to pass TRIM through. But the rest of > your "securely erased" drive is still not TRIM-ed. As far as I know, mkfs discards blocks while creating the filesystem. So your device should be "overwritten" at that stage of the process? (I for myself never do any overwriting of harddisks, I've just asked out of sheer curiosity). ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 17:47 ` Heinz Diehl @ 2014-05-30 17:57 ` Thomas Bastiani 2014-05-30 19:03 ` Laurence Darby 2014-05-31 8:32 ` Heinz Diehl 0 siblings, 2 replies; 17+ messages in thread From: Thomas Bastiani @ 2014-05-30 17:57 UTC (permalink / raw) To: dm-crypt On 05/30/14 18:47, Heinz Diehl wrote: > On 30.05.2014, Thomas Bastiani wrote: > >> It may be that files that you create and then delete will trigger >> a TRIM operation if dm-crypt (and >> eventually LVM) are configured to pass TRIM through. But the rest of >> your "securely erased" drive is still not TRIM-ed. > > As far as I know, mkfs discards blocks while creating the filesystem. > So your device should be "overwritten" at that stage of the process? > Oh cool. I had no idea. So then it would make the whole dd operation useless if you pass --allow-discards to cryptsetup. -- Thomas ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 17:57 ` Thomas Bastiani @ 2014-05-30 19:03 ` Laurence Darby 2014-05-30 19:25 ` Arno Wagner 2014-05-31 8:32 ` Heinz Diehl 1 sibling, 1 reply; 17+ messages in thread From: Laurence Darby @ 2014-05-30 19:03 UTC (permalink / raw) To: Thomas Bastiani; +Cc: dm-crypt You're all missing a very important point. Have a read of http://embeddedsw.net/doc/physical_coercion.txt (a reference on http://en.wikipedia.org/wiki/Deniable_encryption) and think about if you want some random data at the end of your drive that you can't decrypt. -- Laurence Thomas Bastiani wrote: > On 05/30/14 18:47, Heinz Diehl wrote: > > On 30.05.2014, Thomas Bastiani wrote: > > > >> It may be that files that you create and then delete will trigger > >> a TRIM operation if dm-crypt (and > >> eventually LVM) are configured to pass TRIM through. But the rest of > >> your "securely erased" drive is still not TRIM-ed. > > > > As far as I know, mkfs discards blocks while creating the filesystem. > > So your device should be "overwritten" at that stage of the process? > > > > Oh cool. I had no idea. So then it would make the whole dd operation > useless if you pass --allow-discards to cryptsetup. > > -- > Thomas > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 19:03 ` Laurence Darby @ 2014-05-30 19:25 ` Arno Wagner 0 siblings, 0 replies; 17+ messages in thread From: Arno Wagner @ 2014-05-30 19:25 UTC (permalink / raw) To: dm-crypt If you do this right (zero wipe within the opened encrypted container, as described in FAQ Item 2.19), then you can decrypt this data to zeros. Unfortunately, given the frequency that people ask about "hidden encrypted voluems" here and are completely unaware of the danger they put themselves in, I thinks educating people about this risk is a lost cause. Arno On Fri, May 30, 2014 at 21:03:08 CEST, Laurence Darby wrote: > > You're all missing a very important point. Have a read of > http://embeddedsw.net/doc/physical_coercion.txt (a reference on > http://en.wikipedia.org/wiki/Deniable_encryption) and think about if > you want some random data at the end of your drive that you can't > decrypt. > > -- > Laurence > > > > Thomas Bastiani wrote: > > > On 05/30/14 18:47, Heinz Diehl wrote: > > > On 30.05.2014, Thomas Bastiani wrote: > > > > > >> It may be that files that you create and then delete will trigger > > >> a TRIM operation if dm-crypt (and > > >> eventually LVM) are configured to pass TRIM through. But the rest of > > >> your "securely erased" drive is still not TRIM-ed. > > > > > > As far as I know, mkfs discards blocks while creating the filesystem. > > > So your device should be "overwritten" at that stage of the process? > > > > > > > Oh cool. I had no idea. So then it would make the whole dd operation > > useless if you pass --allow-discards to cryptsetup. > > > > -- > > Thomas > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 17:57 ` Thomas Bastiani 2014-05-30 19:03 ` Laurence Darby @ 2014-05-31 8:32 ` Heinz Diehl 1 sibling, 0 replies; 17+ messages in thread From: Heinz Diehl @ 2014-05-31 8:32 UTC (permalink / raw) To: dm-crypt On 30.05.2014, Thomas Bastiani wrote: > > As far as I know, mkfs discards blocks while creating the filesystem. > > So your device should be "overwritten" at that stage of the process? > Oh cool. I had no idea. So then it would make the whole dd operation > useless if you pass --allow-discards to cryptsetup. I think so. At least mkfs.xfs, mkfs.ext4 and mkfs.btrfs are discarding blocks while creating the fs. Don't know about other fs. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-30 15:17 ` Stephen Cousins 2014-05-30 15:58 ` Thomas Bastiani @ 2014-05-30 18:08 ` Arno Wagner 1 sibling, 0 replies; 17+ messages in thread From: Arno Wagner @ 2014-05-30 18:08 UTC (permalink / raw) To: dm-crypt It requires psecific attack situations. For example, some application could write data in a specific pattern that would then be visible in the raw container. Or you could determine the size of some files or the type of the filesystem. Not anything usually critical, but something to keep in mind and when being careful the crypto-wipe step is advisible. Arno On Fri, May 30, 2014 at 17:17:27 CEST, Stephen Cousins wrote: > Hi Heinz, > > I agree. The field, by it's very nature, has varying levels of paranoia > (rightly so as we are seeing these days) and this level is more than what I > need for my purposes so I can save some time by not having to send random > data to all of the drives during the build process. > > Steve > > > On Fri, May 30, 2014 at 11:07 AM, Heinz Diehl <htd@fancy-poultry.org> wrote: > > > On 30.05.2014, Stephen Cousins wrote: > > > > > I see. So it has nothing to do with how well the data is encrypted. Just > > > another level of protection.. > > > > Maybe. I think the practical effects are negligible. With the first > > minutes of use of such a disk, temporary files get written to it, > > files get deleted, new ones get written and old stuff gets > > overwritten. If the encryption is secure, all that doesn't really > > matter. > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > > > > -- > ________________________________________________________________ > Steve Cousins Supercomputer Engineer/Administrator > Advanced Computing Group University of Maine System > 244 Neville Hall (UMS Data Center) (207) 561-3574 > Orono ME 04469 steve.cousins at maine.edu > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. - Plato ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [dm-crypt] Is erasing hard disk drive mandatory? 2014-05-29 13:33 [dm-crypt] Is erasing hard disk drive mandatory? Kenny Lake 2014-05-29 20:13 ` Arno Wagner @ 2014-05-30 10:02 ` Andrew 1 sibling, 0 replies; 17+ messages in thread From: Andrew @ 2014-05-30 10:02 UTC (permalink / raw) To: Kenny Lake; +Cc: dm-crypt@saout.de Hey Kenny, If you do skip over the erase during configuration, you can get the same effect of by causing the filesystem to write to every block -- dd if=/dev/zero of=uselessjunk ; \rm uselessjunk Of course, you also need to fill up the inode tables, otherwise your disk may tell how many files are on the disk. Make lots of files. If you're paranoid, or have a need to irritate security experts, use /dev/urandom instead of /dev/zero. &:-) On Thu, 29 May 2014 14:33:23 +0100 (BST) Kenny Lake <kennylake96@yahoo.it> wrote: > If I want to create an encrypted volume, over a disk drive where > there were no sensible data or there was another encrypted volume, > can i skip the erasing procedure or will compromise the security of > the new encrypted volume? > -- Thousands of years to mess up six days' work, and we're STILL not done ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2014-05-31 8:32 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-05-29 13:33 [dm-crypt] Is erasing hard disk drive mandatory? Kenny Lake 2014-05-29 20:13 ` Arno Wagner 2014-05-30 13:32 ` Stephen Cousins 2014-05-30 13:42 ` Arno Wagner 2014-05-30 13:52 ` Stephen Cousins 2014-05-30 15:07 ` Heinz Diehl 2014-05-30 15:17 ` Stephen Cousins 2014-05-30 15:58 ` Thomas Bastiani 2014-05-30 17:10 ` Heinz Diehl 2014-05-30 17:24 ` Thomas Bastiani 2014-05-30 17:47 ` Heinz Diehl 2014-05-30 17:57 ` Thomas Bastiani 2014-05-30 19:03 ` Laurence Darby 2014-05-30 19:25 ` Arno Wagner 2014-05-31 8:32 ` Heinz Diehl 2014-05-30 18:08 ` Arno Wagner 2014-05-30 10:02 ` Andrew
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.