diff options
| author | Francis Rowe <info@gluglug.org.uk> | 2015-09-19 14:33:54 (EDT) |
|---|---|---|
| committer | Francis Rowe <info@gluglug.org.uk> | 2015-09-19 14:33:54 (EDT) |
| commit | 302ea0f504d0d000fa33083e45b1e6c1f05ded32 (patch) | |
| tree | db07237081ce4e194a8496368a2d3b010769c1cf /site/faq/index.php | |
| parent | a27b3a4a4282647b3b5233ffeed89281832d9954 (diff) | |
| download | libreboot.org-302ea0f504d0d000fa33083e45b1e6c1f05ded32.zip libreboot.org-302ea0f504d0d000fa33083e45b1e6c1f05ded32.tar.gz libreboot.org-302ea0f504d0d000fa33083e45b1e6c1f05ded32.tar.bz2 | |
FAQ: more notes about HDD/SSD security
Diffstat (limited to 'site/faq/index.php')
| -rw-r--r-- | site/faq/index.php | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/site/faq/index.php b/site/faq/index.php index daf8b31..1348413 100644 --- a/site/faq/index.php +++ b/site/faq/index.php @@ -603,6 +603,9 @@ or BusyBox/Linux. </p> <p> + SSDs and HDDs are a special case, since they are persistent storage devices as well as computers. + </p> + <p> Example attack that malicious firmware could do: substitute your SSH keys, allowing unauthorized remote access by an unknown adversary. Or maybe substitute your GPG keys. SATA drives can also have DMA (through the controller), which means that they could read from system memory; the drive can have its own hidden storage, theoretically, where it could read your LUKS keys and store them @@ -663,6 +666,22 @@ <li><a href="http://motherboard.vice.com/read/the-nsas-undetectable-hard-drive-hack-was-first-demonstrated-a-year-ago">http://motherboard.vice.com/read/the-nsas-undetectable-hard-drive-hack-was-first-demonstrated-a-year-ago</a></li> </ul> <p> + It is recommended that you use full disk encryption, on HDDs connected via USB. There are several adapters available + online, that allow you to connect SATA HDDs via USB. Libreboot documents how to install several GNU/Linux distributions + with full disk encryption. You can adapt these for use with USB drives: + </p> + <ul class="cascade"> + <li><a href="../docs/gnulinux/encrypted_trisquel.html">Full disk encryption with Trisquel GNU/Linux</a></li> + <li><a href="../docs/gnulinux/encrypted_parabola.html">Full disk encryption with Parabola GNU/Linux</a></li> + </ul> + <p> + The current theory (unproven) is that this will at least prevent malicious drives from wrongly manipulating data + being read from or written to the drive, since it can't access your LUKS key if it's only ever in RAM, + provided that the HDD doesn't have DMA (USB devices don't have DMA). The worst that it could do in this case + is destroy your data. Of course, you should make sure never to put any keyfiles in the LUKS header. + <b>Take what this paragraph says with a pinch of salt. This is still under discussion, and none of this is proven.</b> + </p> + <p> <a href="#pagetop">Back to top of page</a> </p> |