Chapter 8 Security Practices and Tips

8.4 Full Disk Encryption

“Broad strokes here: doing full disk encryption (FDE) means that your entire hard drive is encrypted. If you take the hard drive out and put it on another system, or if you boot from a rescue disc, all you’ll see is ciphertext.” Sam pauses expectantly, so Bob asks, “If it’s all encrypted, how can I use any of the data on it? Do I have to decrypt it all every time I log in?”

“Great question!” Sam replies. “When you log back in to a system with FDE, there’s a little program that encrypts any data being written to the disk and that decrypts any data that is being read from the disk.

It’s very efficient, so it doesn’t really affect system performance. If you log in with the right passphrase, that program will work; if you don’t have the passphrase, you won’t be able to read any data from that disk.”

“But Sam, in that case, when I’m using the computer, it’s as if the disk isn’t encrypted and all of my system is an open book,” asks Bob, uncertainly adding,“Isn’t it?”

“Exactly,” answers Sam. “That’s why you should never leave your computer turned on when you’re not using it, or when it’s out of your control. And also why you should keep your computer off any net- works, and also don’t let anyone plug in to your USB ports. Because there are forensic software programs, sometimes used by law enforce- ment agencies, that can copy the contents of your RAM, or your entire hard drive.”

“Well, then why bother encrypting my hard drive at all, Sam?” Bob asks.

8.4.1 How Good Is FDE?

“FDE is an excellent security practice, as long as you are aware of the weaknesses,” Sam says.“Because as long as you are vigilant, and keep the system powered down when you don’t have control over it, you’ll be pretty safe.”

“Thank you, Sam, that explains what Walter was doing earlier, while you were in the washroom.” Bob turns to face a burly gentleman standing at the entry to the first class compartment and says,“Walter, allow me to introduce you to my new friend, Mallory.” Turning back to Sam, Bob says, “Mallory, this is Walter, one very cool cat who works for my wife. I should have known that he would be on this flight; he watches over us, particularly when we may need some protection.”

Sam begins to panic, glancing back and forth, at Bob and then at Walter. “When you went to the washroom, I discovered Walter in coach and explained that you were trying to convince me to betray my nation. The first thing he did was to plug into your notebook and did

91 Security Practices and Tips

some fooling around, I don’t know what, exactly, but I think now that you have beenp0wned--is that the right word, Walter?”

As Walter nods somberly, Bob continues: “So, Sam, rather than I working for you, it is you who will be working for my wife. Chin up, though, it is not so bad to live in Sylvania: you will be given an entry- level job, something honorable yet not too pleasant, perhaps school lunch server or maybe plumber’s helper. And in the evenings you will be called upon to help train members of our security service.”

“In any case,” continues Bob, “Please explain how effective FDE is; you can be sure I will not leave my system turned on when it is unattended. But take your time, and have a beverage if you need a moment to collect your wits, by all means.”

Walter removes Sam’s computer from his tray table, replacing it with a tumbler of scotch, and as Bob plays Scramble with Friends¹¹ Sam attempts to regain enough composure to answer Bob’s question.

Sam begins:“When used correctly, FDE can be extremely resistant even to efforts by the government.¹²I mean, the US government, but I guess any other government will have the same problem. The two big things to remember are keep the computer turned off when unattended and use a strong passphrase.”

Bob interrupts: “Yes, that’s funny, as Walter told me your FDE passphrase was‘password123’. I think that is not a strong passphrase, do you agree?”

“Well, no, unh, I guess it’s not too strong, Bob,”mutters Sam.

Bob touches Sam’s wrist and says, “Well, never mind. Everything will be fine for you, don’t worry, you’ll see. But before you return to Walter’s seat in coach, tell me how to do FDE.”

“Aw, heck, Bob, here’s a FAQ I wrote,” Sam says, handing a sheet of paper to Bob.“I’m coming Walter, where were you sitting?”

11Scramble with Friends is a popular time killer often played on a smartphone while sitting on an airplane. It has nothing to do with encryption.

12See“Efficacy of full disk encryption”http://crypto.loshin.com/2012/11/19/efficacy-of-full-disk- encryption/.

“Oh, a very nice seat, just across from the toilet, all the way back.

There are only two babies in the seats behind, and you have the honor of sitting between two of Sylvania’s most popular wrestlers.”

Bob says, “See you later, Mallory,” as he turns to peruse Sam’s FAQ: