Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Why does full disk encryption require no time?

  1. #11
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    1,796
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: Why does full disk encryption require no time?

    Quote Originally Posted by nw9165-3201 View Post
    Then it is not full disk encryption at all and wear levelling of SSDs could pose a security risk...
    if you had encryption enabled when you first wrote the data, then that data is encrypted (with the old key). if you want all the data to now be encrypted with the new key, read and rewrite all the data. there are cases where less than this is desired and secure, so it won't just do it automatically. wear levelling of SSDs has its own security issues when you no longer have block layer access to residual data (wiping the device won't get rid of all residual data).
    Mask wearer, Social distancer, System Administrator, Programmer, Linux advocate, Command Line user, Ham radio operator (KA9WGN/8, tech), Photographer (hobby), occasional tweeter

  2. #12
    Join Date
    Mar 2016
    Beans
    40

    Re: Why does full disk encryption require no time?

    This is a very bad security-related bug, and it's being misunderstood by everyone.
    The original poster should have focused on the "Overwrite empty disk space" option, maybe that would have made it clearer, but still I'm astonished that no one is getting this right.
    I hope to do some clarification.

    Encrypting a drive or a partition with Ubiquity, after choosing either the "Encrypt the new Ubuntu installation for security" option or the "Something else" one followed by manual encryption using the default partitioning software, you will be given this checkbox at some point:
    "For more security: Overwrite empty disk space (The installation might take much longer.)"
    This has one and only one obvious meaning:
    the entire selected drive or partition will be wiped out / hard-formatted / overwrited with random data. This is how it works with every encryption software.
    The reason to choose this option is to delete residual data on the disk/partition in case the disk is not new and "clear data" has been written on it in the past. You can of course do this before manually with various tools (dd, shred, etc.), but that's not the point.
    The bug is that if you check the checkbox, this user choice will be completely ignored, i.e. the partition/disk will not be wiped and it will only be "set" for encryption of following writings (e.g. the following installation of Ubuntu and the first things the user will do with it).

    I post again the bug report in hope of further discussion and fixing:
    https://bugs.launchpad.net/ubuntu/+s...y/+bug/1602155
    Last edited by SamInside; September 26th, 2016 at 06:59 PM. Reason: adding bug report link

  3. #13
    Join Date
    Mar 2016
    Beans
    40

    Re: Why does full disk encryption require no time?


  4. #14
    Join Date
    May 2010
    Beans
    135

    Re: Why does full disk encryption require no time?

    The option should work. Indeed it doesn't. The bug report is confusing since it does not lead with this issue and does not provide steps to reproduce... probably won't be fixed this way unless a super motivated developer stumbles across it.

    This is the first time I tried to debug the Ubuntu installer and damn it's confusing... tons of stuff in the debug log, just not what you're looking for.

    Edit:

    The file """skip_erase""" exists even with the option checked, and such the erasing functions (crypto_wipe, crypto_do_wipe) are never called. I'm too lazy to track down what is supposed to be creating/removing the """skip_erase"""
    Last edited by frostschutz; September 30th, 2016 at 02:04 PM.

  5. #15
    Join Date
    Mar 2016
    Beans
    40

    Re: Why does full disk encryption require no time?

    Quote Originally Posted by frostschutz View Post
    The bug report is confusing since it does not lead with this issue and does not provide steps to reproduce... probably won't be fixed this way unless a super motivated developer stumbles across it.
    Have you checked the other older bug report that I've linked?
    https://bugs.launchpad.net/ubuntu/+s...7?comments=all
    It refers to the exact issue.

  6. #16
    Join Date
    Aug 2016
    Beans
    115

    Re: Why does full disk encryption require no time?

    Quote Originally Posted by nw9165-3201 View Post
    What? Then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all.

    If you are correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then.

    At least with BitLocker you have the option to choose between encrypting used disk space only or encrypting the entire disk, see following screenshot for example:

    https://i-technet.sec.s-msft.com/en-...s,MSDN.10).jpg



    Yes, there is a "For more security: Overwrite empty disk space (The installation might take much longer.)" option on the next screen after the screen which has the "Encrypt the new Ubuntu installation for security" option.

    Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it?

    I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the Encrypt the new Ubuntu installation for security" option, regardless of the "For more security: Overwrite empty disk space (The installation might take much longer.)" option.

    There's lots of ways to write random data over your entire disk, you can do it with the live DVD/USB and "dd" command if you interested.

    I never considered encrypting deleted files but I can see how it would be important to some.

    Edit: Sorry to clarify do you want those deleted files to be wiped or do you want them encrypted so you can possibly restore them in the future? I can't see why anyone would want to encrypted deleted files.
    Last edited by T2uiYKb7; October 6th, 2016 at 04:55 AM.

  7. #17
    Join Date
    Mar 2016
    Beans
    40

    Re: Why does full disk encryption require no time?

    Quote Originally Posted by andrew.nz View Post
    to clarify do you want those deleted files to be wiped or do you want them encrypted so you can possibly restore them in the future? I can't see why anyone would want to encrypted deleted files.
    Obviously "wiped". Please see my post to understand the issue: https://ubuntuforums.org/showthread....1#post13549951

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •