[dm-crypt] Encrypted partitions with sectors to zero?

Arno Wagner arno at wagner.name
Thu Oct 24 13:53:57 CEST 2013


On Thu, Oct 24, 2013 at 09:33:47AM +0200, Thomas Martin wrote:
> Hello Arno.
> 
> > Encryption does not overwrite your data. If you want that
> > with LUKS or plain dm-crypt, ypu need to do the overwrite
> > yyourself. Some tools, like TrueCrypt, offer you to do
> > this optionally during installation.
> >
> > See also FAQ item 5.3.
> 
> My bad, this is actually obvious (I always used shred when I was
> converting my old unsecured machines before encrypting them).
> 
> 
> > Yes. See FAQ item 5.3. If you do it for an already created
> > filesystem, you will not reach everything though, that is
> > why the overwrite should be done after crypto-mapping, but
> > before filesystem creation.
> >
> > Arno
> 
> Good point, I was looking to avoid insecurities by disabling TRIM but
> I didn't understood that this insecurity was "by default" even
> wwithout TRIM (as I didn't filled the LUKS container).
> 
> 
> Thanks a lot Arno, this is a lot more understandable for me now.

You are welcome. SSDs are still a security risk with regard
to some features, namely erasing old data, changing
passphrases and securely erasing a LUKS container, see FAQ 
Item 5.19. If you understand these issues and accept the associated
risks, encryption on SSDs is still a lot more secure than no 
encryption.

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list