1. 17
  1.  

  2. 1

    The OS binary resources (i.e. /usr/) must be authenticated before being booted into. (But don’t need to be encrypted, since everyone has the same anyway, there’s nothing to hide here.)

    I think one wants to encrypt them anyway, in case one has custom stuff installed. He does briefly mention this later, but I think it is important to note that an FDE system should be as full as possible, with a minimal set of unencrypted software and data: just enough to get to an encrypted (and authenticated) state.

    Binding encryption of /var/ and /etc/ to the TPM also addresses the first of the two more advanced attack scenarios: a copy of the harddisk is useless without the physical TPM chip …

    His solution to this is recovery keys, which isn’t a terrible idea, but requires something outside of a user’s head to recover a hard drive. Right now, all of my random m 128-bit passwords are secured with one passphrase in my head for a password manager, on a volume secured by another passphrase in my head. This setup means that there is no way for anyone to get any of my passwords except by guessing (or attacking the integrity of the system running the password manager). Additionally, I can get at my data just by dropping the hard drive in another system.

    With this scheme, I would need to store an unmemorisable recovery key somewhere. If it is on a physical store (e.g. a piece of paper), someone can physically steal it; if it is on an electronic store, that is a completely other system I have to maintain, and I have to ensure that I correctly and securely copy over the recovery key. This is not impossible, of course, but it is a heck of a lot more work than a memorised passphrase.

    I think an option to use a system-wide passphrase should be provided: I want the ability to encrypt all my disks with a passphrase like ‘the quick brown fox jumped over the lazy dogs’ so that I can access all data on them with a new system and the contents of my brain. And I want to be prompted for that phrase on every boot, so that my memory is refreshed each time.