Local Encryption ... Why Not?

scottalanmiller

More than two years since our last update on this one!

BRRABill

Still think FDE is a good way to go to protect against the non "deep state" hackers.

scottalanmiller

@brrabill said in Local Encryption ... Why Not?:

Still think FDE is a good way to go to protect against the non "deep state" hackers.

FDE does nothing against hacking, though, but is effective against people who walk off with your desktops. But hackers would never even know FDE was there, it's bypassed once the machine is powered on.

BRRABill

Right, I mean when the careless CEO leaves his laptop in an airport and you're just trying to protect the goods from a 14 year old kid with a Windows 10 ISO.

stacksofplates

@scottalanmiller said in Local Encryption ... Why Not?:

@brrabill said in Local Encryption ... Why Not?:

Still think FDE is a good way to go to protect against the non "deep state" hackers.

FDE does nothing against hacking, though, but is effective against people who walk off with your desktops. But hackers would never even know FDE was there, it's bypassed once the machine is powered on.

Unless you use LUKS with passwords or something like a Yubikey.

stacksofplates

@stacksofplates said in Local Encryption ... Why Not?:

@scottalanmiller said in Local Encryption ... Why Not?:

@brrabill said in Local Encryption ... Why Not?:

Still think FDE is a good way to go to protect against the non "deep state" hackers.

FDE does nothing against hacking, though, but is effective against people who walk off with your desktops. But hackers would never even know FDE was there, it's bypassed once the machine is powered on.

Unless you use LUKS with passwords or something like a Yubikey.

This is a gripe I've had with Bitlocker. Ya it's encrypted so someone can't just take a drive, but if they take the whole system it's unencrypted with the push of a button. I'm willing to bet you could get a shim between the drive and the SATA port to read data flowing. Of course this is completely out of realm of normal people, but it's still the point.

Carnival Boy

@stacksofplates said in Local Encryption ... Why Not?:

This is a gripe I've had with Bitlocker. Ya it's encrypted so someone can't just take a drive, but if they take the whole system it's unencrypted with the push of a button.

How? I'm not familiar with Bitlocker although it is installed on my laptop.

hobbit666

Just been re-reading some of this,

I need to "reinstall" my computer, might do it this afternoon. (need to install another SSD coz i can )

Might give Scott's idea of nothing stored on the local machine a go have everything On-Line, maybe not even use Outlook . Most of the files i need/use are either in SharePoint or my OneDrive (or should be going forward)

dafyre

@stacksofplates said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

@scottalanmiller said in Local Encryption ... Why Not?:

@brrabill said in Local Encryption ... Why Not?:

Still think FDE is a good way to go to protect against the non "deep state" hackers.

FDE does nothing against hacking, though, but is effective against people who walk off with your desktops. But hackers would never even know FDE was there, it's bypassed once the machine is powered on.

Unless you use LUKS with passwords or something like a Yubikey.

This is a gripe I've had with Bitlocker. Ya it's encrypted so someone can't just take a drive, but if they take the whole system it's unencrypted with the push of a button.

It depends on if you are using a passphrase on the disk or if your computer has a TPM module. If it's TPM, then you're right. If you have a passphrase, then you're in a little better shape.

DustinB3403

Simple answer to the concern about the system being unencrypted is to not use something based on hardware then. Use VeraCrypt if you need "more".

stacksofplates

@dafyre said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

@scottalanmiller said in Local Encryption ... Why Not?:

@brrabill said in Local Encryption ... Why Not?:

Still think FDE is a good way to go to protect against the non "deep state" hackers.

FDE does nothing against hacking, though, but is effective against people who walk off with your desktops. But hackers would never even know FDE was there, it's bypassed once the machine is powered on.

Unless you use LUKS with passwords or something like a Yubikey.

This is a gripe I've had with Bitlocker. Ya it's encrypted so someone can't just take a drive, but if they take the whole system it's unencrypted with the push of a button.

It depends on if you are using a passphrase on the disk or if your computer has a TPM module. If it's TPM, then you're right. If you have a passphrase, then you're in a little better shape.

Right. I'm referring to TPM.

stacksofplates

@carnival-boy said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

This is a gripe I've had with Bitlocker. Ya it's encrypted so someone can't just take a drive, but if they take the whole system it's unencrypted with the push of a button.

How? I'm not familiar with Bitlocker although it is installed on my laptop.

If it's using TPM to unlock, all you have to do is turn it on.

stacksofplates

@hobbit666 said in Local Encryption ... Why Not?:

Just been re-reading some of this,

I need to "reinstall" my computer, might do it this afternoon. (need to install another SSD coz i can )

Might give Scott's idea of nothing stored on the local machine a go have everything On-Line, maybe not even use Outlook . Most of the files i need/use are either in SharePoint or my OneDrive (or should be going forward)

All of my dotfiles are in version control. Every time I open a new terminal it checks for changes. So really the only thing that's local for me is the applications that are installed (and keys).

Carnival Boy

@stacksofplates said in Local Encryption ... Why Not?:

If it's using TPM to unlock, all you have to do is turn it on.

Sure, but Bitlocker with TPM allows you to setup a pre-boot pin, so all good.

scottalanmiller

@carnival-boy said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

If it's using TPM to unlock, all you have to do is turn it on.

Sure, but Bitlocker with TPM allows you to setup a pre-boot pin, so all good.

Yeah, if you do that, TPM does good stuff for mobile devices.

stacksofplates

@carnival-boy said in Local Encryption ... Why Not?:

@stacksofplates said in Local Encryption ... Why Not?:

If it's using TPM to unlock, all you have to do is turn it on.

Sure, but Bitlocker with TPM allows you to setup a pre-boot pin, so all good.

Right, as long as you require something. I’ve seen some that just do TPM and nothing else. I guess it’s not a gripe I have with Bitlocker. Just the fact that people don’t pay attention to that. LUKS forces a password or some type of key.

scottalanmiller

Had a customer a few weeks ago lose their laptop because they encrypted it but couldn't figure out their password. Non-replaceable part. So it was hosed.

jmoore

I've advocated we store nothing on our laptops but so far its had little effect. We are very backward here unfortunately. I think storing mostly online is very good and makes services like Nextcloud very valuable in this scenario.

DustinB3403

@jmoore said in Local Encryption ... Why Not?:

I've advocated we store nothing on our laptops but so far its had little effect. We are very backward here unfortunately. I think storing mostly online is very good and makes services like Nextcloud very valuable in this scenario.

Keeping files on a laptop aren't really the issue here. The customer in Scott's case setup disk or file system encryption and had no recovery method to get into the file system. Seemingly with some hardware encryption that once set it just had to get tossed out.

Encryption of any kind is a good thing generally speaking (not including ransomware) as its an easy to add level of security, but you need to have recovery methods otherwise you're up the creek without a paddle.

Obsolesce

@scottalanmiller said in Local Encryption ... Why Not?:

Had a customer a few weeks ago lose their laptop because they encrypted it but couldn't figure out their password. Non-replaceable part. So it was hosed.

It's funny how a place with a handful of devices has problems with that, but a place that has 25 thousand encrypted devices across ~30 countries literally has not a single issue with it.