From owner-freebsd-questions@freebsd.org Mon Feb 24 16:16:53 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 145CD239AEA for ; Mon, 24 Feb 2020 16:16:53 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 48R6dc661Zz4JBK for ; Mon, 24 Feb 2020 16:16:52 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) (Authenticated sender: galtsev) by kicp.uchicago.edu (Postfix) with ESMTPSA id 7DF034E6A0 for ; Mon, 24 Feb 2020 10:16:52 -0600 (CST) Subject: Re: rm | Cleaning up recycle bin To: freebsd-questions@freebsd.org References: <20200223184908.b35d656a.freebsd@edvax.de> <20200224145317.GA9130@neutralgood.org> <20200224151337.30d8d819e7cf74bde984b77a@sohara.org> <20200224110621.3267115d@scorpio> From: Valeri Galtsev Message-ID: <4484c068-b304-b9c7-087d-aea67aeef719@kicp.uchicago.edu> Date: Mon, 24 Feb 2020 10:16:52 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200224110621.3267115d@scorpio> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 48R6dc661Zz4JBK X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2020 16:16:53 -0000 On 2020-02-24 10:06, Jerry wrote: > On Mon, 24 Feb 2020 09:38:46 -0600, Valeri Galtsev stated: >> It depends on what kind of attack you are trying to defend from. If it >> is theft of your hard drive from your cold powered off machine, then >> this will help (not 100% solve it, just brute force drive decryption >> attack is too expensive or slow). If, however, it is physical machine >> security that you are trying to solve, encrypting drive not >> necessarily will help. The following is the speculation about how the >> attack can be performed. Bad guy has physical access to your machine >> when it is up and running. He opens the case, splashes liquid nitrogen >> onto your RAM, pulls RAM modules, plugs them into his device. Low >> temperature ensures the content of RAM is not lost while physically >> swapping it over to bad guy's device, and that device ensures the >> content of RAM is not lost (pretty much the same way as dynamic RAM is >> used always). And the guy takes the hard drive. Encryption/decryption >> happens on the fly on running machine (otherwise yanking the power >> will allow on to have decrypted drive), and therefore the >> encryption/decryption key(s) must me somewhere in the RAM when machine >> runs. And the bad guy has it all now: the whole content of the RAM >> (with the keys), and [encrypted] hard drive. He has your information. > > Can you document an actual event when this scenario occurred? > No, because, as I said, I am speculating. If you find flaw in my speculation, I'd like to hear about that. And I'm sure, there are other ways of attack to get data in case one encrypts hard drive or filesystem. I just speculated through the most obvious (for me) way that should be doable. I do not have extensive knowledge of [successful or unsuccessful] attacks against encrypted storage. If someone can enlighten us all on the real world cases/statistics, it would be interesting to know. Thanks. Valeri -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++