Re: [dm-crypt] LUKS2 support for null/plaintext target

[Arno Wagner <arno@wagner.name>]

On Tue, Dec 17, 2019 at 18:07:11 CET, Jordan Glover wrote:
> On Monday, December 16, 2019 6:24 PM, Chris Murphy <lists@colorremedies.com> wrote:
[...] 
> > It is a very different problem where to find the resources to build
> > in-place conversion. But I think it's unwittingly asking more users to
> > forgo encryption at all to argue against it on the basis that it's
> > somehow a significant security risk. How many hours, days or weeks of
> > typical usage do you think takes before all cells have either been
> > erased or overwritten by encrypted data? There is interim exposure,
> > that some use case will care about, but some won't. And that might be
> > more useful in assessing a personal line in the sand than
> > categorically saying in-place conversion gives a false sense of
> > security.
> >
> > Chris Murphy
> 
> I agree that security is hard and users are unsophisticated but I'm not
> convinced what you propose will help those people rather than hurt them.
> It's easy to imagine that people will believe that their data is encrypted
> after install if they use luks and miss the fact that some action is needed
> to actually enable encryption.
> 
> Jordan

I agree on that. And here we have a responsibility: It must be as
hard as possible to screw this up and the state things are in
must be as obvious as possible. It is better if getting encryption
requires some work and some reading, than if it is easy to mistake
the state of things and thinking you are secure when you are not.
That way, anybody that really cares will have encrytion and anybody
that finds this too much of a bother will not have encryption, but 
they will all know where they stand.

Also, I have absolutely no tolerance for the idea that everyting
with computers must be (apparently) easy and simple. We spend
years teching kids to learn how to read and write, but somehow
when using the most sophisticated tech the human race has ever 
made, everything must be a single click. 

That is obvious nonsense and catering to this mindset does damage. 
What should be be done instead is to make it as clear as possible 
that some things are hard to do, hard to understand and that there
is no replacement for finding out. That way, nobody will be fooled
into thinking things are easy that are not, just because they
have been designed to appear to be easy. You cannot make complicated
things simple. Complexity can be hidden but only in mature tech 
can it be removed. In computers (which are anything but mature)
you can only lie to the users, to their detriment.

Regards,
Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier