[Discuss] Full disk encryption

Richard Pieri richard.pieri at gmail.com
Mon Jan 2 21:01:01 EST 2012


On Jan 2, 2012, at 7:55 PM, Tom Metro wrote:
> 
> What makes Microsoft BitLocker better than TrueCrypt?

"... because it protects against more attack modes than other software."

> Are you using full disk encryption? If so, what tool are you using?

I don't.  I take care of my gear.  I made this statement before: I see WDE as enabler for carelessness.  We keep hearing about "lost" notebooks with sensitive information on them.  If the bearers of those notebooks weren't so careless then their notebooks wouldn't have been lost in the first place.  Better still, if the data on those laptops were kept on secure servers with controlled VPN access instead of on portable equipment then loss of that portable equipment wouldn't be an issue.

Legacy FileVault restore is a PITA.  You can't restore normally.  You either restore the entire sparsebundle for the user's home directory or mount the backup volume and pluck out files by hand.  FileVault2 addresses this because it is a WDE system, but FV2 has its own issues.

And this is the great big rub with WDE: backups.  File-level backups are decrypted when sent to the backup system unless the backup system itself re-encrypts everything.  One MITM attack and everything is compromised.  Container and block backups require restoring the entire container or block device; they can't be used to restore single files, at least not without great difficulty, and block device (bare metal) restores usually need to restored to identical hardware to work correctly.

I had TrueCrypt WDE on my netbook and BitLocker on my gaming rig at home.  I ripped them out because of the backup/restore hassles.  The perception of security just isn't worth it.

Never mind that I have a pair of Mac Minis playing server.  Sometimes they need to be restarted remotely.  Can't do that with WDE.

--Rich P.


More information about the Discuss mailing list