En réponse à Milan Broz <mbroz@xxxxxxxxxx> : > > My idea is to cipher _all_ blocks by changing the salt. > > You forgot one fundamental thing. > > If an attacker can do snapshots in time (IOW he can read the > cipher text device after user performed some changes) he has > either physical access to the system or he has administrator > permissions. > physical access. > This allows more powerfull attacks already (installing > keylogger I also use full disk encryption. [You can say that I don't have to care for an encrypted file, but yes, I have to. The attacker can allways watch modified blocks, either it's ciphered another time by FDE. the position of files doesn't change often in a disk. So if somebody has repeated access to my FDE system, then the password, he can know where the 100Mbyte file resides, then check which blocks have changed on the encrypted partition.] > modifying kernel I'm using a TPM chip to enforce that everything in my /boot partition (kernel, initramfs, bootloader and options) is unchanged between reboots. > bios, I don't really believe in that. By the way, BIOS with TPM have one part read-only unchangeable, and TPM chips guarantee (that's its purpose) that it's unchanged. > ...). > > If an attacker has such access nothing will help you. > The chain is weaker somewhere else here. > I hope I took care all of these problems. > > not so much, depending on how much data you cipher. > > I use files of less than 100Mbytes and cipher them. On > > close, a full recipher wouldn't take long. > > Then use encryption on filesystem level (e.g. with CTR mode, > iow stream mode) and not sector level block device encryption. > I'm not sure I understand (??) A stream mode would help? With filesystem level encryption? But maybe it's not the right mailing list if the talk goes that way. > ------------------- Fin du message d'origine --------------------- Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
