User Controls
Having an encrypted external HD that nobody can get into w/o a password
-
2018-03-06 at 9:31 PM UTC
-
2018-03-06 at 11:18 PM UTClaughed so hard at this fucking thread, sorry OP
-
2018-03-06 at 11:21 PM UTC
-
2018-03-06 at 11:26 PM UTC
-
2018-03-07 at 1:10 AM UTCoooOOOoooOOOoooOoOO
-
2018-03-07 at 2:36 AM UTCop is a .pdf
-
2018-03-07 at 12:16 PM UTC
Originally posted by inb4l0pht Lol. This is way beyond overkill and will do nothing but unnecessarily load your CPU and make disk operations slow as shit. There isn't even really a theoretical advantage because nobody is ever going to try to crack the ciphertext directly. It's computationally impossible even with something considered 'weak' like 128 bit blowfish. Passwords are almost always the weak link and so an attacker will pour his resources into brute forcing the hashed version on disk, which he can then use to unlock the volume's master key.
You're better off using AES (128 bit is plenty secure and usually faster, especially with the hardware instructions built into newer CPUs) with a strong password (30+ characters) and strong hashing (scrypt or bcrypt, while not widely implemented, are designed specifically to be hard to brute force. Otherwise PBKDF2 with lots of iterations is fine).
Lol. Yeah there’s always at least one person every time this topic gets brought up. I’ve been doing this for a while and haven’t noticed any significant performance difference. Really it’s just for hedging my bets, so to speak, in case one of the major encryption protocols has a secret backdoor or as-yet unidentified exploit (even though this is extremely unlikely). After all, it’s well known that there is precedence for the NSA influencing encryption standards. We all know what happened the last time their secrets leaked out.
Since large amounts of money are involved, any marginal sacrifice in convenience is worth it to me for even a very small increase in security.
Let’s just agree to disagree -
2018-03-09 at 4:06 PM UTC
Originally posted by Fox Paws I’m curious what would u recommend for OP
VeraCrypt is fine, it's literally just a slightly updated fork of TrueCrypt, and I've posted my thoughts on the security and audits of that several times in the past. I'd personally go with LUKS/DMCRYPT/etc but it's not a good option if you don't work solely with *nix machines.
In terms of algorithms I use SERPENT by itself - it came in second for the AES standard after Rijndal or however you spell it; slightly harder to break and slightly more computationally-intense. The only reason I use it is paranoia, the idea being that if someone really wanted to get into it they wouldn't be able to use custom AES-ASIC implementations to try to break it - it wouldn't be cost-effective to build SERPENT-ASIC hardware so it's less likely anyone has it. Actual bonus to crypto strength is negligable. Using cascading ciphers typically just adds CPU load and I believe in some cases it's vulnerable to *theoretical* attacks.
SHA-256 hash and ~30 char key.
If you're profoundly paranoid, there are a few things you can do over and above (relating to an encrypted system/OS drive, not removable) - I've tried a few:
1. When using FDE (I've done this with LUKS but you can likely do the same with True/Vera/Crypt), you can move the LUKS header and bootloader onto an external drive (USB, microSD etc). Instead of booting to a clean partition that prompts you for a passphrase to unlock the machine with, you'll need to boot from the USB - trying to boot without it will just report that the partition/drive is unusable. If you keep the key on you at all times it prevents people from tampering with the bootloader.
2. Similar to the above, you can add a password to your BIOS (or UEFI or whatever). This will stop anyone from booting to another device to tamper with your bootloader, but does nothing to stop them from removing your harddrive and putting it in one of their systems. As an aside, depending on who your 'adversaries' are they're likely to have the ability to backdoor or overwrite your UEFI with compromised code.
3. Specific to LUKS, there's a patch (I couldn't find it with a quick search but I've seen it before) that will allow you to add a 'self-destruct' passphrase - if you enter the self-destruct passphrase, the bootloader will destroy your LUKS header making the encrypted volume completely unreadable instead of decrypting it. It'd work well if someone was trying to force you to give up the key or if you needed to destroy data in a rush, but they'd likely be very unhappy with you and you'd end up in a worse place than you'd be if you'd just given them the key to your porn stash. -
2018-03-09 at 8:19 PM UTC
Originally posted by Fox Paws in case one of the major encryption protocols has a secret backdoor or as-yet unidentified exploit
If this is the case, then the entire world is fucked, because everyone from banks to governments to the NSA themselves uses AES/Rijndael. And I would argue that having received the most attention from independent security researchers over the past 20 years, it's also the least likely to have an unidentified, catastrophic exploit. Any backdoor is probably going to exist as a buggy or intentionally vulnerable software implementation, and such problems are much more likely to happen and are more difficult to identify when you're adding unnecessary complexity with cipher cascades.
I think you're being autistic. Using multiple ciphers is not going to impede an attacker with the technical capability and resources to break one of them. The NSA already owns you at a hardware level. The FBI can covertly break into your house while you're away and install a pinhole camera above your work space to capture your password as you type it. And that's just the tip of the iceberg.
I won't agree to disagree, because there's no practical scenario where a cipher cascade is actually useful, and certainly not one where an order of magnitude performance penalty is a worthwhile trade off. It only lures you into a false sense of security and distorts your view of realistic threat models. -
2018-03-09 at 8:40 PM UTC
-
2018-03-10 at 1:29 AM UTC
-
2018-03-10 at 10:46 AM UTC
-
2018-03-10 at 4:07 PM UTC
Originally posted by Enter but thats why crypto programs have fake passwords, where it takes you to the fake contents, but the intruder actually thinks they're in.
this comic sucks and so do you.
You are mentally defective.
Everyone knows false volumes are a thing. That's why they don't work outside of the imagination of crypto nerds. If you are specifically targeted by an adversary that wants to get into your encrypted files, they already know you have shit. The question is not whether or not they know you have it, it's whether or not you give them the ability to access it. If you give them the password to the false volume, the only thing it will accomplish is getting your bitch ass beat for being a smartass. -
2018-03-10 at 4:11 PM UTC
Originally posted by Jeremus You are mentally defective.
Everyone knows false volumes are a thing. That's why they don't work outside of the imagination of crypto nerds. If you are specifically targeted by an adversary that wants to get into your encrypted files, they already know you have shit. The question is not whether or not they know you have it, it's whether or not you give them the ability to access it. If you give them the password to the false volume, the only thing it will accomplish is getting your bitch ass beat for being a smartass.
nothing in that babbling was any kind of solid retort. if you died, i would genuinely be happy. like, it'd make me happy for at least a couple of days to find out you were dead. -
2018-03-10 at 5:34 PM UTC
-
2018-03-10 at 5:36 PM UTCHey guys if I say I won the argument I must have won the argument m I rite
-
2018-03-10 at 5:36 PM UTCEnter nobody who's going on vacation to America would talk about it that much.
-
2018-03-10 at 5:46 PM UTCEnter, you want so badly to fit in.
-
2018-03-10 at 8:34 PM UTC
-
2018-03-10 at 10:48 PM UTC
Originally posted by Jeremus Nice try at distracting from the fact that you got BTFO, nigger.
Originally posted by Jeremus Hey guys if I say I won the argument I must have won the argument m I rite
Originally posted by Jeremus Enter nobody who's going on vacation to America would talk about it that much.
Originally posted by Jeremus Enter, you want so badly to fit in.
Imagine being so btfo that you had to quadruple post to try and save face. Even speckles kept it limited to a triple post.