Re: Possible for full-disk encryption to encrypt /boot as well?
- Date: Sun, 27 May 2018 10:39:18 -0700
- From: David Christensen <dpchrist@xxxxxxxxxxxxxxxx>
- Subject: Re: Possible for full-disk encryption to encrypt /boot as well?
On 05/26/18 23:40, Paul Johnson wrote:
On Sun, May 27, 2018 at 12:43 AM, David Christensen <
On 05/26/18 21:16, Paul Johnson wrote:
On Sat, May 26, 2018 at 7:21 PM, David Christensen
Have you considered a self-encrypting drive ...
I'm 99.99% sure (like Dove soap sure) that Symantec full disk
encryption doesn't work this way because I'm just as sure that none
of the Dell models I've ever worked with have this hardware
I have tested Intel 520 Series SSD's with self-encryption in two Dell
- They do not work in Dell Inspiron E1505's (~2007, Core Duo).
- They do work in Dell Latitude E6520's (2011~2012, Sandy Bridge).
Right, but is the basic system unencrypted or not? I very, very, very
highly suspect not, since it seems fairly obviously to me (given that all
the Dell hardware stuff has finished and it's handed off to whatever is on
the boot device) it's handing off to encrypted software off the hard drive
to bootstrap the rest by the time anything Symantec gets involved with.
AFAIK self-encrypting drives (SED) have hardware encryption/ decryption
engines (ASIC's) built into the on-board microcontroller. When the
system boots, there is a protocol for the motherboard firmware to
display a prompt on the console for the SED passphrase, which is then
passed to the SED. If the passphrase is correct, the SED then encrypts/
decrypts data writes/ reads transparently (e.g. the SED acts like an
unencrypted drive). If the passphrase is wrong, the SED will refuse to
write/ read data, because it cannot encrypt/ decrypt without the
passphrase. If someone pulls the platters or memory chips out of the
SED, puts them into a test jig, and reads the magnetic bubbles/
transistors, they will obtain ciphertext. They must know the encryption
algorithm, passphrase, and other pieces of information (nonces, etc.) to
decrypt the ciphertext and obtain the plaintext.
Once the SED has been unlocked, the administrator can build additional
layers of hardware and/or software encryption on top. FreeOTFE and
dm-crypt/LUKS are examples of software encryption. I believe BitLocker
is also software encryption, but allows keys to be stored in a Trusted
Platform Module (TPM). I am not familiar with Symantec encryption products.