Ask HN: How do you encrypt your laptops?
Read this story about lost macbook pro [0], I am wondering about the encryption tools for laptops. Even though a lot of work we do these days is on cloud (github/bitbucket/gitlab, dropbox etc), I still would hate to lose my laptop specially if unencrypted
[0] https://news.ycombinator.com/item?id=11759741
154 comments
[ 2.3 ms ] story [ 213 ms ] threadCoupled with encrypted Time Machine backups and Arq[0] I feel relatively ok about losing my machine.
[0] https://www.arqbackup.com
I had a TimeMachine backup too but hadn't synced recently and ended up doing a bunch of hackery to recover the un-synced data :(
I much prefer 2FA & revocable certificates on remote accounts so I'm not worried about unauthorized access, and anything else important is encrypted independently.
So, it will keep the honest out, but for someone who knows what they're doing, it will only prove a mild inconvenience.
This obviously doesn't help them bypass FDE, but in case they want to steal the laptop and not have a brick, the SPI writer works a treat.
[1] https://trmm.net/SPI_flash
Besides any potential thief wont even know whether you're running FDE or not on the laptop they steal, or whether it would be bricked or not. They can always sell it for its parts (screen, etc) anyway.
Whereas, if someone straight-up steals it, they have no chance of recovering data if the encryption is strong and key isn't in memory (eg cold boot). You can also transmit media through untrusted channels that way. Even NSA's Inline Media Encryptor, which my inspired my designs, has that use case.
Sure, but that's different from anti-stealing (and I mean stealing the machine of course, not the data).
I would assume this is true for all encryption schemes. But, really the most advanced stuff runs on linux based machines, I would proffer.
Having all memory sticks encrypted makes for wonderful peace of mind.
Otherwise, they may be able to snag your SSH RSA keys off of the hard drive, and if you've password protected it, they can try to brute force it.
Also, it helps safeguard against border patrol wanting to access your data while traveling.
My problem with hardware tokens is simply that I lose them.
There are Yubikey-specific PAM modules you can use as a second factor for logging in locally, and there are probably ways to use standard smartcard authentication for login purposes as well but I don't have experience with that. I mainly use it for remote SSH login purposes.
I wish it were a bit easier to enable per-user encrypted home directories as well (yes, layered: CPUs are fast, and security is worth the cost), but … I'm lazy.
If you've got the requisite ecryptfs packages installed, you can just run something like: "adduser --encrypt-home newusername" and there you go. It works on top of any filesystem, because it encrypts on a per-file basis.
Then again, Debian isn't really either given the systemd fiasco that is Jessie.
How has that whole debacle impacted you? I still have several squeeze(or whatever oldstable / jessie-1 is) boxes that I'm loathe to upgrade, and considering just biting the bullet and switching to either Ubuntu, which has a more mature systemd seutp, or some other distro entirely (OpenSUSE seems to be the place to be when it comes to bleeding edge secure rolling releases), but the familiarity I have for Debian continues to make that difficult to make the leap.
I've very reluctantly upgraded to Jessie with systemd few months ago and, to my surprise, it simply works.
Cursory googling returned entries from 1-2 years ago, so my google fu is not sufficient.
The main thing to watch out for is to add new users appropriately to some system groups like sudo, cdrom, audio and such.
Why create an admin user when root already exists?
You can always delete the user account you created at install time too, after you have set up the root account with a password.
How else would I attempt to appear superior? :^)
You can't always know the thoughts based solely on the words. There's almost never a one-to-one mapping. You can't always read minds.
Think about it like this: I understand that it might be perceived by some English speakers as "sophistication" (more on that later), but for a lot of others who speak other languages, there is absolutely no pretense of sophistication in using latin expressions for this is both how we have always talked and what we picked up along the way in life.
Expressions such as "a priori", "grosso modo", "primo/secundo/tertio/quarto", "sine qua non", "ad nauseam", "a fortiori", "a contrario", "status quo", "de facto/de jure", are very common in colloquial French.
Others, for example: "quod erat demonstrandum", "reductio ad absurdum", and some of the aforementioned mostly were picked up inmaths classes/books.
I learned most of this stuff as a child because people just talked like that around me. Do I have to appologize because someone thinks I'm doing it to appear superior? That's similar to some people who think someone is arrogant just because he's good looking. Doesn't this feeling tell them more about themselves than about the hypothetical arrogance/sophistication attempt?
Think of it another way: If I work in the sun and get a tan, why on earth would you assume that my tan is pretentious? Seems silly to connect the two, right? But they were connected in the past: the expression blue blood, after all, that is used to describe nobility came from the fact they were so pale their veins we apparent, contrary to the peasants who had to work in the sun and were tanned..
What used to indicate "low-birth" now has become attractive. We're funny that way.
To get back to what I said, this is not unique to English speaking people. I was raised with two languages home + one street language + one school language. Other children from poor families (one street language + one school language) preceived this as a sophistication attempt because they perceived me as someone coming from means. I wasn't. They associated speaking that language with wealth; I didn't. It didn't even cross my mind.
Then again, it's not even about wealth: they didn't mind someone like them (farmer) having money.. but they loathed people they considered "fancy" (for them, educated meant fancy).
Some people here have this stereotype (the correlation is that they're mostly people from poor neighborhoods) because they don't understand basic logic: "A implies B" doesn't mean "B implies A". They think "People from wealthy fancy families speak French", so they go the other way around and say "People who speak French come from wealthy fancy families".
But then again, it's not about latin phrases, wealth, or french, for some people in France would consider someone speaking in English as attempting to appear superior. And it's not even about France for some people in Egypt think people who speak English try to seem superior. How 'bout that! You wouldn't consider English fancy, would you?. But a lot of people around the world do.
What's the conclusion? The conclusion is that this isn't about the other, it's about us and our thought processes, our insecurities and assumptions.
The conclusion is that if you perceive what someone says to be an attempt to be sophisticated, maybe you can start with an assumption check: can you for a fact read minds? Does your assumption tell you something about yourself more than it does about the other? It does.
I'm not being judgemental, I just find the way we think fascinating. I spend a lot of time trying do destroy my own argum...
https://www.youtube.com/watch?v=IIAdHEwiAy8
If you were stopped at a border crossing and asked to unlock your drive for inspection, would you do so?
It's not necessary to cross a border anymore with anything "interesting" on your laptop.
Just push everything of value to the cloud before crossing. Carry a USB drive with an OS on it. Format your laptop before crossing. Let them have fun "inspecting". Oh, and I'd advise doing something like
before loading the clean OS. That way there's nothing of value on the drive even if forensic tools are used to look for previous data.Or maybe just use a Chromebook. They can't force you to unlock access to any cloud accounts, can they? Certainly not as a pre-condition for crossing a border? With a court order, yes, but then you definitely need to get an attorney involved to protect you.
So they can make unlocking any of your accounts a prerequisite for entering.
As for the cloud, I store nothing sensitive on there. I used truecrypt, but now I find VeraCrypt easier to use and install. I lost my last installer of truecrypt, and I don't trust the ones floating around.
VeraCrypt hasn't been audited yet. This is a bad thing :)
Verify the GPG key fingerprint and hashes: https://news.ycombinator.com/item?id=7812905
Most of my other installations (Mac, Linux, FreeBSD) are encrypted (LVM, ZFS, etc) or will be soon.
To be honest this only really helps against casual attackers (lost/stolen machine) because much of my personal data is in OneDrive which will offer me no protections against governments or determined individuals.
or can you somehow still mount, unlock and retrieve the files that weren't affected?
Advantages:
Disadvantages:This can be implemented in secure hardware (and without getting into attacks against that), you can make a password attempt, but can't modify the counter which tracks how many incorrect attempts have been made. Sufficient incorrect attempts will see the key material destroyed.
That drive claimed 128 bit AES, but they botched it.
Just disconnect the CMOS batteries; you can find tutorials online. Or you can take it to a computer shop, it should be a simple fix.
I suggest you look at the many guides and videos, just search "removing BIOS password".
I had a Pentium III based HP laptop that stored the password on a chip that didn't require a battery to evade such a trick. The only fix was using the backdoor password that could be generated by using the serial number of the laptop (HP required proof of ownership, but I had dumpster dived this from their offices). The backdoor password was retrieved by wiring 50 USD to a fellow in the czech republic who had the keygen tool HP support would use.
For most people this is more than enough.
It's tangential, but while on the topic of securing lost laptops, you should also password-protect GRUB and BIOS. Ideally, all three will use different passwords that are relatively long. Properly securing these elements in addition to having full-disk encryption will make your lost laptop useless to the would-be thieves.
- ChromeOS built-in encryption/LUKS FDE on the Fedora partition on my Chromebook
I should probably encrypt my Android phone and tablet, but I had a bad experience with performance overhead when I encrypted my last phone.
I have a USB key or two on my key-ring, and in theory I have an external hard-drive although currently I don't use it.
I keep code on a VM and GitHub.
In general I don't really have anything I can't lose or have made public. Instead of looking at my laptop as a thing I have to protect I look at it as a thing that will inevitably be lost, damaged or replaced.
If a nation-state wants to "get me", they will. In fact most of us would probably not be able to withstand a targeted attack by a skilled or simply motivated attacker.
I don't expect my hard-drive being encrypted would save me in court. I probably wouldn't ultimately withstand a prolonged beating in defense of it either.
It all comes down to whether your juice is worth the squeeze. I have very little juice (on display), and I don't give anyone much reason to suspect there's more juice out there.
Does anyone have a good multiboot disk encryption setup?
On Linux I sometime use LUKS disk encryption. For adhoc disk container file disk encryption I use Veracrypt which is the successor of Truecrypt.
Full compatibility with third party boot loaders (LILO, GRUB, etc.). Encryption of system and bootable partitions with pre-boot authentication. Option to place boot loader on external media and to authenticate using the key media. Support for key files. Full support for external storage devices. Option to create encrypted CD and DVD disks. Full support for encryption of external USB storage devices. Automatic mounting of disk partitions and external storage devices. Support for hotkeys and optional command-line interface (CLI). DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file systems.
Another thought, what other things could someone do?
check for the existence of a USB stick or SD card plugged into the machine inorder to actually mount home? Log user into a chroot env and mount nothing unless a usb stick exists?
with http://www.passwordcard.org/ passwords
Works.
I run Mint on my ThinkPad, and encrypted the hard drive at install-time (which is LUKS in the background). This means I have a separate password for the OS and my user data. The boot password is very long (it's a saying that is memorable to me) so is pretty difficult to brute-force, while my user password is complex enough for regular use. I also have my user data encrypted. LUKS can leverage the AES instructions on current-gen CPUs to speed up encrypted operations to near-native speeds, but even without it, you'll only notice a slow-down if you're doing heavy IO. My MBP is an old Core 2 Duo and is not unsable with FDE enabled.
I also used my Yubikey as a second factor for a time - you can hook this into the LUKS decryption screen to hash the passphrase a second time to generate the decryption key. While I was at it, I had my Yubikey set up to be required to log in or unlock the screen. So while there was a backup passphrase to unlock the hard drive, I couldn't get into my own user account without the Yubikey. I eventually disabled this because I thought it was overkill, but it works pretty well.
However, don't forget that encryption ONLY protects data at rest! A laptop in sleep mode is NOT secure, even with FDE. I always shut down the machine completely when I'm in a situation I could lose it (e.g. airport security). Otherwise, the keys are kept in memory, and a determined hacker has ways of getting to them - look up DMA attacks. Downloading the contents of RAM through a firewire port is pretty trivial these days.
A final thing to note - none of these methods stop a thief installing their own OS on your machine. Whilst this means your data is secure, you can make things a little bit harder for the thief by adding a boot or BIOS password to prevent them booting from a different medium. There are ways to reset this, admittedly, but since it won't get in your way (much), add another stumbling block for your enemy.
If you use UEFI with secure boot (and your own keys with the windows ones removed, and an administrative password set up in your firmware) then you're in theory protected against that attack as well. What's more, openSUSE Just Works™ with UEFI. I wanted to flash LibreBoot (a CoreBoot distribution that is free as in freedom) but I'm worried about bricking my laptop (as well as not being sure about how good Linux's support is for that).
The main hassle is I have to open the drive and enter the password before using. But its used infrequently.