[Discuss] Revisiting VMWare ESX backup options

[me at mattgillen.net (Matthew Gillen)]

On 11/04/2014 10:27 AM, Richard Pieri wrote:
> The encrypt everything ideology is nothing more than security theater:
> do something that provides a warm and fuzzy feeling without addressing
> the real problem of poor or nonexistent physical security. If you
> maintain good physical security then the devices won't be lost or stolen
> in the first place.

I think that's a bit unfair; physical security can be just as difficult 
in practice as software security.  I once timed AAA unlocking a car 
whose keys were locked inside: 11 seconds from walking up to the car to 
open door.  Criminals have the same tools.

Not everyone can have a bank vault to put their computers in. 
Whole-disk-encryption is decent protection against thefts of 
opportunity.  Thefts of opportunity (i.e. you weren't specifically 
targeted for theft, you were just in the wrong place at the wrong time) 
aren't after the data, they just want to resell the hardware.  If the 
data is easily accessible and can be easily determined if there's 
additional value, all the better.  But if there's significant cost to 
even figuring out whether the data on that laptop has value, it's 
usually not worth it.

It's much harder to defend against targeted thefts, because you have to 
assume that the thief will employ every possible trick to get the data 
from your laptop (and shutting down your laptop doesn't necessarily make 
your encryption key unrecoverable from memory:
 
https://freedom-to-tinker.com/blog/felten/new-research-result-cold-boot-attacks-disk-encryption/ 
)

Matt