Web lists-archives.com

Re: Possible for full-disk encryption to encrypt /boot as well?




On 05/26/18 23:40, Paul Johnson wrote:
On Sun, May 27, 2018 at 12:43 AM, David Christensen <
dpchrist@xxxxxxxxxxxxxxxx> wrote:

On 05/26/18 21:16, Paul Johnson wrote:

On Sat, May 26, 2018 at 7:21 PM, David Christensen

Have you considered a self-encrypting drive ...


I'm 99.99% sure (like Dove soap sure) that Symantec full disk
encryption doesn't work this way because I'm just as sure that none
of the Dell models I've ever worked with have this hardware
capability.


I have tested Intel 520 Series SSD's with self-encryption in two Dell
laptop models:

- They do not work in Dell Inspiron E1505's (~2007, Core Duo).

- They do work in Dell Latitude E6520's (2011~2012, Sandy Bridge).


  Right, but is the basic system unencrypted or not?  I very, very, very
highly suspect not, since it seems fairly obviously to me (given that all
the Dell hardware stuff has finished and it's handed off to whatever is on
the boot device) it's handing off to encrypted software off the hard drive
to bootstrap the rest by the time anything Symantec gets involved with.


AFAIK self-encrypting drives (SED) have hardware encryption/ decryption engines (ASIC's) built into the on-board microcontroller. When the system boots, there is a protocol for the motherboard firmware to display a prompt on the console for the SED passphrase, which is then passed to the SED. If the passphrase is correct, the SED then encrypts/ decrypts data writes/ reads transparently (e.g. the SED acts like an unencrypted drive). If the passphrase is wrong, the SED will refuse to write/ read data, because it cannot encrypt/ decrypt without the passphrase. If someone pulls the platters or memory chips out of the SED, puts them into a test jig, and reads the magnetic bubbles/ transistors, they will obtain ciphertext. They must know the encryption algorithm, passphrase, and other pieces of information (nonces, etc.) to decrypt the ciphertext and obtain the plaintext.


Once the SED has been unlocked, the administrator can build additional layers of hardware and/or software encryption on top. FreeOTFE and dm-crypt/LUKS are examples of software encryption. I believe BitLocker is also software encryption, but allows keys to be stored in a Trusted Platform Module (TPM). I am not familiar with Symantec encryption products.


David