Bruno Wolff III <bruno@xxxxxxxx> writes: > On Thu, Dec 12, 2013 at 11:32:41 -0800, > "Wolfgang S. Rupprecht" <wolfgang.rupprecht@xxxxxxxxx> wrote: >>Google is failing me here due to search spam for LUKS which doesn't >>appear to be capable of *full* *disk* encryption. It only seems to >>encrypt individual partitions. > It can do full encryption of block devices. If you aren't booting of > the SSD you could encrypt the whole drive. The luks header will still > be on the SSD. If you didn't want that either, you could do some > trickiness with dm to have the header on a different physical > device. This is all going to need manual setup, as it isn't the normal > case. (For most people leaking the partition information isn't a > significant risk and encrypting by partition is simpler.) No, leaking the partition info for the bootstrap isn't a worry for me either. ;-) It's just that LUKS shows up and dominates searches for FDE. If I didn't have always on, hardware FDE for free in the SSD, I'm sure I'd be happy with LUKS. After a bit more research it appears that the SSD FDE machinery is always on, even with a blank password protecting the internally generated random AES key. It is impressive that the disk does ~ 480 MBytes/sec (actual measured speed) even when squeezing all the data through AES-128. Of course, with the Snowden revelations, one has to wonder how random the randomly chosen internal AES key is. If it is from an intentionally crippled RNG, it may be easy for someone in the know to do a brute-force search for it. -wolfgang -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
