Re: Laptop - Full Disk Encryption? (Booting defeats FDE)

["Tim A." <security-basics () lists goldenpath org>]

Yes, but disk encryption is not about intrusion prevention. That's a 
separate issue.

If you were running an OS on an encrypted disk, the encrypted disk does 
not make the processes of the OS any more secure than if the disk were 
not encrypted. The OSs vulnerabilities are still vulnerable, the disk 
encryption does not help in that regard. If a user is compromised the 
consequences are the same, almost.

Disk encryption is more about mitigation. Just dismount the volume and 
capture is moot to the guest, other than being offline (obviously). It's 
data is safe, or at least all the data that was not yet captured before 
the plug was pulled.

I'm thinking of it more as a computer with a BIOS password that cannot 
be blanked out, locked in a room that when the door is closed cannot be 
opened except by the owner. It's still a computer, and while the door is 
open and the computer is on it's still vulnerable and always will be.

Not saying it's perfect. Nothing is.
Just an idea.

Ansgar -59cobalt- Wiechers wrote:
> On 2007-12-06 Tim A. wrote:
>   
> > Here's a crazy idea:
> >
> > Run a Virtual Machine inside a TrueCrypt volume.
> > The VM cannot even be opened until the TrueCrypt volume is mounted.
> > *Everything* is encrypted, paging file / swap file, OS and User right 
> > down to your CMOS and boot blocks.
> >
> > How will it preform? Good question. Give it a shot.
> >     
>
> Performance issues aside, an attacker will still be able to manipulate
> the host operating system, which in turn will be able to manipulate the
> guest operating system once the VM is started. Virtual Machines are
> designed to protect the host OS from the guest OS, *not* vice versa.
>
> Regards
> Ansgar Wiechers
>