Rich Freeman on 7 Nov 2018 13:09:48 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fwd: Self-Encrypting Solid-State Drive Vulnerabilities


On Wed, Nov 7, 2018 at 2:32 PM Keith C. Perry
<kperry@daotechnologies.com> wrote:
>
> One of the more interesting notices...
>
> I'm curious,was anyone using this?
>

Bitlocker in win10 uses this by default if the drive advertises
support for it, so it is a big deal if you use Bitlocker.  I checked
my one windows laptop and it was using software encryption.  You can
force this using group policy editor.

I suspect use of this in Linux is less common, but it can be done.
hdparm can be used to access drive security settings.

I have used this for secure erase.  Typically I do this in addition to
overwriting the drive contents, in the hopes of clearing any data the
drive might be storing in inaccessible areas.  I believe secure erase
is sometimes implemented by having drives encrypt data by default
using a session key stored in flash, and then just changing the key.
So, your drive might be encrypting everything even if you don't tell
it to - if so it is just a black box to the user.  However, this might
not be super-common otherwise I'm not sure how hard drive recovery
shops would work.  In any case, if you're using secure erase on top of
overwriting, then the amount of data that might be leaked would be
pretty minimal.

Obviously if you're using software encryption (LUKS/etc) on top of the
disk then it really doesn't matter what vulnerabilities the drive
might contain.  At most it might leak encrypted data that was thought
to be overwritten, which shouldn't be a problem if your encryption is
decent.

 --
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug