Jan Reusch wrote:
Marc Schwartz schrieb:
It's a full day process (including the random writing of data)
why not setting up the encrypted device&filesystem and filling it with
random data afterwars?
you could copy your files to the device and fill the rest with files
dumped from /dev/urandom (each 100mb)
so you can work (except from the cpu and disk load from the dumping
process) and have the zeros wiped from you unencrypted device?
so, is there any security reason why not filling the partition with
random data afterwars?
thanks
Jan
Yep, two primary reasons.
1. Any old data that was in the clear on a non-encrypted partition,
which is now becoming part of the new encrypted partition, would be
vulnerable to review. See the Gutmann reference that I pointed to in my
other reply today at:
http://www.cs.auckland.ac.nz/~pgut001/
2. You would not be able to (easily) cover and protect file "slack"
space, which is the residual space in an allocated file sector beyond
where the file data itself is stored. The only way to reasonably and
easily cover this is to write random data to the drive before copying
data files to the media.
And again, it is not just writing 0's, but random patterns of 0's and
1's to the drive. Just writing blocks of 0's would largely defeat the
purpose of this whole process.
As with any security, there is a trade-off between "ease of use" and the
level of security. To take a day for this process is not unreasonable
for me. It is just more a matter of workload and when I can schedule a
"down day" to get this done.
HTH,
Marc Schwartz
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
