Related Articles

5 Comments

  1. 4

    Sceptic

    I still don’t see how all this crypto is going to protect you from someone with a $5 hammer.

    Reply
  2. 3

    lj

    Lasander, that is indeed of limited use, but so is everything, and i would say it does slow people down (at least for a few minutes), especially if they didn’t come prepared for it.

    What might be more worrying is the possibility of someone replacing your bootloader or in linux the dm-crypt mounter by some version that does keylogging. Actually, linux is a bit lax in this as the /boot partition allows quite some space for this. If everything but the bootsector is encrypted, this is (I guess) harder.

    Reply
  3. 2

    Lasander

    There is no point in setting a BIOS password. Once an attacker has *physical* access to your computer then there is no defense unless your drive is encrypted and if the machine is turned on at the time even whole disk encryption might not save you.

    All you need to do with a bios password when you have physical access is to reset it via jumper or just take the bios battery out for a few minutes. Doesnt even really slow people down. You could also just take the drive out and just stick it into your own machine.

    Reply
    1. 2.1

      Joseph

      Lasander, my case has a lock on the panel (as well as a locking front panel that covers the power/reset buttons, optical drive, etc.). They’d need to have a crowbar to get at the motherboard’s BIOS battery.

      lj, the answer to your scenario is an intrusion detection system (IDS) that compares the checksum of files with a secured copy. If that copy was on the encrypted drive, it could be run after boot to compare the bootloader signature with the stored checksum and detect a change. You could get REALLY fancy and boot from a flash drive or memory card and run in IDS on the boot partition comparing the values to those stored on the memory card to know if it’s safe to boot the PC or not. :-)

      Reply
  4. Pingback: Quickies: physical security primer « 0ddn1x: tricks with *nix

Leave a Reply

Your email address will not be published. Required fields are marked *