[dm-crypt] Prepare SSD for encrypted linux install

Heinz Diehl htd+ml at fritha.org
Wed Nov 8 19:45:34 CET 2017


On 08.11.2017, Merlin Büge wrote: 

> To avoid information leakage about the storage device's usage patterns,
> it is generally recommended to fill the entire device with random data
> before setting up encryption. It is also recommended to issue an 'ATA
> secure erase' to SSDs before using it to avoid performance issues.

As far as I know (and the fine people here on the list will surely
correct me if I'm wrong), there is no need to do anything else than
partitioning your SSD and establish a crypto device via device mapper.

Of course, somebody with access to your harddisk will be able to
identify which blocks are real data and which are not, but it won't
have any impact on the security of our data unless the underlying
device mapper has a major bug or the crypto is broken. Most of the
"security flaws" are more of an academic nature. Yes, TRIM does make
it possible to gather data on patterns of disk usage. It may also be
possible to identify (or guess) the underlying filesystem. But does
this ultimately lead to data access? Most probably not.

Wear levelling is often discussed to be a problem, because old data
may linger somewhere in the dark depth of memory cells. As long as
you don't change the password/keyslot and a password with enough
entropy is used, I can see no real danger.

Most of the encrypted data is being "decrypted" because of keyloggers,
physical access to the machine while running, trojans, viruses and
weak passwords - and not because of using an SSD. Attacking the crypto
itself is plain stupid, unless you have found the holy grail of
mathematics.

Cheers,
 Heinz
 


More information about the dm-crypt mailing list