From owner-freebsd-hackers@FreeBSD.ORG Tue Feb 26 11:45:47 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0DD2106566C; Tue, 26 Feb 2008 11:45:47 +0000 (UTC) (envelope-from gemini@geminix.org) Received: from geminix.org (geminix.org [213.73.82.81]) by mx1.freebsd.org (Postfix) with ESMTP id 8DBDF13C4F5; Tue, 26 Feb 2008 11:45:47 +0000 (UTC) (envelope-from gemini@geminix.org) Message-ID: <47C3FBE8.8010201@geminix.org> Date: Tue, 26 Feb 2008 12:45:44 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080129 SeaMonkey/1.1.8 (Ubuntu-1.1.8+nobinonly-0ubuntu1) MIME-Version: 1.0 To: Achim Patzner References: <20080223010856.7244.qmail@smasher.org> <20080223222733.GI12067@redundancy.redundancy.org> <31648FC5-26B9-4359-ACC8-412504D3257B@bnc.net> <47C345C9.8010901@geminix.org> <9111966B-DB9C-41E3-9D30-168D668585A9@bnc.net> In-Reply-To: <9111966B-DB9C-41E3-9D30-168D668585A9@bnc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JTyFl-000FCr-Ho; Tue, 26 Feb 2008 12:45:45 +0100 Cc: freebsd-hackers@freebsd.org, "David E. Thiel" Subject: Re: Security Flaw in Popular Disk Encryption Technologies X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2008 11:45:47 -0000 Achim Patzner wrote: > Am 25.02.2008 um 23:48 schrieb Uwe Doering: >> Since it hasn't been mentioned so far: There are hard disk drives that >> do encryption on the firmware level, so you don't have to store keys >> on the OS level. > > I wouldn't go that far as there isn't (better: I didn't find) > enough documentation on their mechanisms to satisfy my curiosity. I haven't tried so far, but perhaps they can provide additional docs or pointers to already downloadable whitebooks on request. In the past, I found a number of whitebooks on their web site detailing various aspects of their storage technology. Quite interesting stuff. :-) > You might want to take a look at eNova (http://www.enovatech.net/) > who are pointing at interesting hardware using their crypto technology. Interesting approach as well. Thanks for the pointer. However, given that notebooks are the most vulnerable group of computers in this regard, the drawback I see is that the notebook manufacturers first have to adopt this solution, since you normally cannot put such additional hardware into a notebook yourself. This restricts your choice of notebooks, and you also still have no solution for notebooks that you already have. For this reason it struck me as a clever idea to do the encryption in the HDD's firmware. This way you need no additional hardware and can equip each and every notebook sporting an SATA interface with sufficiently secure HDD encryption, without support from the notebook manufacturer because a HDD is a user replaceable part. Regards, Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net