From 302ea0f504d0d000fa33083e45b1e6c1f05ded32 Mon Sep 17 00:00:00 2001 From: Francis Rowe Date: Sat, 19 Sep 2015 14:33:54 -0400 Subject: FAQ: more notes about HDD/SSD security --- (limited to 'site/faq/index.php') diff --git a/site/faq/index.php b/site/faq/index.php index daf8b31..1348413 100644 --- a/site/faq/index.php +++ b/site/faq/index.php @@ -603,6 +603,9 @@ or BusyBox/Linux.

+ SSDs and HDDs are a special case, since they are persistent storage devices as well as computers. +

+

Example attack that malicious firmware could do: substitute your SSH keys, allowing unauthorized remote access by an unknown adversary. Or maybe substitute your GPG keys. SATA drives can also have DMA (through the controller), which means that they could read from system memory; the drive can have its own hidden storage, theoretically, where it could read your LUKS keys and store them @@ -663,6 +666,22 @@

  • http://motherboard.vice.com/read/the-nsas-undetectable-hard-drive-hack-was-first-demonstrated-a-year-ago

    • + It is recommended that you use full disk encryption, on HDDs connected via USB. There are several adapters available + online, that allow you to connect SATA HDDs via USB. Libreboot documents how to install several GNU/Linux distributions + with full disk encryption. You can adapt these for use with USB drives: +

    + +

    + The current theory (unproven) is that this will at least prevent malicious drives from wrongly manipulating data + being read from or written to the drive, since it can't access your LUKS key if it's only ever in RAM, + provided that the HDD doesn't have DMA (USB devices don't have DMA). The worst that it could do in this case + is destroy your data. Of course, you should make sure never to put any keyfiles in the LUKS header. + Take what this paragraph says with a pinch of salt. This is still under discussion, and none of this is proven. +

    +

    Back to top of page

    -- cgit v0.9.1