On Sun, 2019-01-27 at 15:06 -0800, Gordon Messmer wrote: > On 1/27/19 2:44 PM, Patrick O'Callaghan wrote: > > If it's not being read and rewritten, it's not being encrypted. It's as > > simple as that. A cryptosystem that doesn't read the plaintext? How > > does that work? > > The suggestion you're replying to didn't encrypt the drive in place. It > read a stream of zeros from /dev/zero, encrypted that stream, and wrote > that stream to the disk. Thus, nothing needed to be read from any disk. I think the writer *thought* it was encrypting the disk. I may be wrong, but that's what I was responding to rather than the minutiae of the actual command. Regardless, writing a bunch of encrypted zeroes is no better than writing plain zeroes or writing random noise, if it's just a single pass. I think the various answers here are actually addressing slightly different questions. In my case I'm talking about defence against physical-level analysis of the disk. > However, this whole thread is questionable. It is predicated on the > assumption that your CPU can encrypt a stream of zeros faster than it > can generate random data, and also that it can write to its disk faster > than it can generate random data. If either of those things is not > true, then using an encrypted volume to "wipe" a drive will be slower > and more complex, for no benefit. > > On my Dell XPS 13, I can read from /dev/urandom at almost exactly the > same speed that I can write to a dm-crypt block device, so there would > be no reason to use dm-crypt over simply dd if=/dev/urandom to the drive. Of course. > (But the point that I was making when I replied to this thread to begin > with is that if you are concerned with wiping your data from drives, it > should never have been written to the drive in an unencrypted form to > begin with. Encrypt your disks. When you want to get rid of them, > they're already as secure as your passphrase, and you can irrecoverably > wipe them by simply wiping the key header. It's nearly instantaneous.) Again, I agree, but that's not what the OP asked. Telling him "you should have started with an encrypted disk" is like telling a traveller who's asking the way to Podunk "start from somewhere else". poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
