| brent timothy saner on 27 Jun 2015 15:46:50 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] USB-attached, hardware-encrypted card reader ... why vaporware? |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I think you may have sent this to Keith and me directly by accident, as this didn't seem to get to the list. On 06/27/2015 05:42 PM, bergman@merctech.com wrote: > In the message dated: Sat, 27 Jun 2015 16:49:15 -0400, > The pithy ruminations from "Keith C. Perry" on > <Re: [PLUG] USB-attached, hardware-encrypted card reader ... why vaporware?> we > re: > > While the stuff you each wrote about encrypted USB flash drives and > software encryption (subjects about which I'm quite familiar) may be > accurate, aside from the statements: > > "personally, i don't trust hardware encryption- it doesn't allow > for tweaking or transparency, and due to the limited hardware > onboard they tend to be fairly limited." > > and > "I don't trust small hardware to be be durable" > > I don't see anything on-topic in your responses to my query about > hardware devices to portably encrypt generic SD cards. Which is why I offered a cross-platform software suggestion, which you can use to create an encrypted loopback filesystem volume on top of the SD's base filesystem. Which would be GUARANTEED portable, and have the benefit of being able to use stronger encryption/new algorithms as time goes on. What did you think I meant by suggesting it? > I've got a use case that I think is fairly common Let me stop you right there- it isn't really, which is why the specific solution you're looking for doesn't exist. Unless someone is a photographer (in which case I'd doubt they'd use encrypted SD media, as their camera would probably choke on trying to use it) or you're running a massive sneakernet caravan (I am, of course, being facetious), most people use maybe one or two SD cards at MOST (aside from their "smart" mobile device's storage, which they never think about, and Android/iOS encrypts for you if you so desire it to). USB killed CF, and ever since all the attempts to bring back flash-based/cell-based storage in a non-USB form factor have failed with the exception of niche markets/specialized implementations. What you're probably instead going to find better luck with is with USB "flash" storage (which isn't actually flash so much as cheap cell-driven storage, but whatever). And there are plenty of options for those with hardware security, but again- it's not ideal. On-device hardware encryption is weak. Period. It affords no future-proofing, no protection from zero-day discovered vulnerability, no ability to use newer algorithms as time progresses. Waste of money, in my opinion. Additionally, there is no guarantee these hardware solutions will work with GNU/Linux. I suggested CipherShed because it is more portable- despite software upgrades (since when does upgrading encryption software break access to volumes encrypted with earlier versions? This does not happen in the F/OSS software-level encryption world- if it does, it's a bug, and shouldn't make it to stable. If this has ever happened, I'd be surprised if it wasn't reverted/resolved within the next minor release. Unless you're running Gentoo or Arch, you'd have no reason to worry), and all the other things you mentioned. > -- the ownership and > use of a number of SD cards, particularly during travel. While > convenient, these are easy to loose, or may be in a bag that's stolen. See, and I think we disagree entirely on the "convenience" aspect of it. And yes, they're FAR too easy to lose. > Hardware encryption of generic flash cards offers security, > expandability, value, and device independence that none of the > solutions you suggested can provide, which is why I turned to this list > to find out if I had overlooked a relevant solution. Really? LUKS/cryptsetup and CipherShed both have not security, expandability, value, *or* device independence? Surely, the claim that SD card storage is more reliable, accessible, has more value, device independence and a wiser choice than ALL other media isn't just a *wee* bit unrealistic? Considering that software encryption allows you to choose how strong you want your encryption, can be applied to ANY media across (in e.g. CipherShed's example) MULTIPLE platforms, hell- even across a RAID if you want, and is much more device-agnostic than a specific form factor can even inherently be, I find that claim a bit unbelievable. As for "Value", that's largely a pretty subjective thing and depends entirely on context. > Frankly, I disagree with your contentions about 'small hardware' not being > durable or trustworthy -- particularly when that hardware has things like > FIPS certification, epoxy-potted components, etc. In my personal > experience, and considering the boxes of failed storage devices at $WORK > that are awaiting destruction, mechanical hardware (disk drives & fans) > and their power supplies have a far greater failure rate than flash > drives. In several years worth of experience with hardware-encrypted > USB drives & flash drives, we've had zero failures, while I've seen > problems with LUKS (and other software solutions). Yes, a software-based > solution offers more of an opportunity to recover after a problem, but > at the risk of being more fragile and requiring more > 'maintenance' (think OS upgrades on encrypted devices, driver updates, > migration from untrusted software [ie., Truecrypt] to other products) > in the first place. Hardware dies, whether you've anecdotally experienced it or not. At least with bitrot you're able to combat it and prevent it. However, when I say "reliable", I mean in a sense of cross-platform interaction (hell, *cross host* compatibility, not even necessarily cross-platform). I mean durable in the sense of security, and "future-proofing" your storage. There is also the case of hardware interfaces- how long until SD bays are deemed obsolete? What value do your SD devices have then, especially with their added cost of hardware-level encryption (assuming it were to exist)? A soft-encrypted volume you can move over to a new device, or run redundancy against, store in backups, etc- heck, run it as a RW loopback filesystem image file stored ON an SD for all I care, because at least then you aren't relying on a hardware mechanism for encryption. I'd like to hear more about the LUKS failure you said you experienced, however. I'm not aware of that happening, and I have a sneaking suspicion it's not actually related to LUKS. Do pardon me for being a natural skeptic. > For many people and situations, a low-maintenance applicance (ie., > hardware encryption) requires less effort to configure and use. The number of people interested in actually using encrypted storage is, I wager to guess, roughly equal to the people who know how to do so on a software level. Maybe not the cryptsetup commandline, but they sure as hell can use the various DE's GUI disk utilities to do so. Or CipherShed if cross-platform compatibility is needed. Which, yes, has a GUI. If it's so easy to set up that it requires no additional effort from the user to secure, then chances are likely that it isn't. > Thanks anyway, > > Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJVjyfPAAoJEIwATC+TSB9rVqwQALHhiLRV6s7xYyRi8eG969/D Nf9SNVhoJGgTQ5i3WXmD2z0B/nhLN1bWPcVNJ7Nmiu0500C86HlMXYUFoKedgItA AKoL7lZlaqLflpSUVr6U7J+ZVLF+VfNuN9VQKwe/pZFE5/HFQxyjAmtUnlZSIyKa lDL9v+PnFfihjg7xIOMbMBEI7dr+QJAcaTXbz7Zmo9uScnJHLzbzPg/mla069feg mPt9iKp9HhXz3gwmTB1VPyqx5g7kl50SOJSBv9/26+0nqT9F75J5z6K8uR3uSqUW lq+w3L3/7Q+/5/UMI2poHXekBhmcGSBu68FdYDe3Zzi5ZljyO8jXmAfnxEErgZ6a zJl4iCJiQscujZCgpaWojJlOjtih4gaJqvi1Ub4H96NT0KErrl3OHIBHnnBhjRbo nUB3feDTgcBessfIVG1SGqW61r0H9Tb/VeW0TM6aWpcz97o64wuemRcoAmzLgBo+ YgYHlCPxNDKHOjpJTlGEQIQE5jZ40SuvBAJbxTzODGPC41xHD2pHiJsz2EJBUuwb ie7SzdDbWbAHQ4Gg2hSEAYDB+Z1DxHF6X/OhCRjTNy6EG1B7DEH07qCN9FNLCUn7 86+k/PnvkzFxzEM1hkUph8+jkcHjWQzzxyDeTdOxKzSrYQJm2/xDzOytOumL5ccH 9JiQdwiY29Krd/KN6G2O =Ndjr -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug