Ne znam ni sam gdje otvoriti ovu temu, veže se i za SSD i za OS i za aplikacije pa ajmo zasad staviti ovdje.
Nedavno sam otvorio Samsung Magician da provjerim ima li nova verzija aplikacije i firmwarea za SSD te usput malo detaljnije proučim opcije koje su unutra. Tako sam naletio da je TRIM uključen, ali samo za particije koje nisu kriptirane TrueCryptom (kojeg koristim brat bratu 10 godina, znam ga već u dušu).
Sad tu dolazimo da problema gdje u dokumentaciji TrueCrypta jasno piše da TRIM i wear-leveling rade samo kad se koristi system encryption što bi značilo enkripcija cijelog SSD-a. Naravno, to na mom laptopu nije moguće jer ima UEFI BIOS, a TrueCrypt ne zna raditi s UEFI-jem i GPT driveovima.
Isto tako piše da se ne preporuča korištenje TrueCrypta s TRIM-om i wear-leveling mehanizmima radi sigurnosti podataka kad ih ti isti mehanizmi krenu raspršivati po driveu radi optimizacije, ali to mi nije toliko bitno. Napominjem čisto da upozorim ostale.
Citiraj:
Trim Operation
Some storage devices (e.g., some solid-state drives, including USB flash drives) use so-called ‘trim’ operation to mark drive sectors as free e.g. when a file is deleted. Consequently, such sectors may contain unencrypted zeroes or other undefined data (unencrypted) even if they are located within a part of the drive that is encrypted by TrueCrypt. TrueCrypt does not block the trim operation on partitions that are within the key scope of system encryption (see chapter System Encryption) (unless a hidden operating system is running – see section Hidden Operating System) and under Linux on all volumes that use the Linux native kernel cryptographic services. In those cases, the adversary will be able to tell which sectors contain free space (and may be able to use this information for further analysis and attacks) and plausible deniability (see chapter Plausible Deniability) may be negatively affected. If you want to avoid those issues, do not use system encryption on drives that use the trim operation and, under Linux, either configure TrueCrypt not to use the Linux native kernel cryptographic services or make sure TrueCrypt volumes are not located on drives that use the trim operation. To find out whether a device uses the trim operation, please refer to documentation supplied with the device or contact the vendor/manufacturer.
Wear-Leveling
Some storage devices (e.g., some solid-state drives, including USB flash drives) and some file systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or medium. These mechanisms ensure that even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). Therefore, multiple "versions" of a single sector may be available to an attacker. This may have various security implications. For instance, when you change a volume password/keyfile(s), the volume header is, under normal conditions, overwritten with a reencrypted version of the header. However, when the volume resides on a device that utilizes a wear-leveling mechanism, TrueCrypt cannot ensure that the older header is really overwritten. If an adversary found the old volume header (which was to be overwritten) on the device, he could use it to mount the volume using an old compromised password (and/or using compromised keyfiles that were necessary to mount the volume before the volume header was re-encrypted). Due to security reasons, we recommend that TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism (and that TrueCrypt is not used to encrypt any portions of such devices or filesystems)
|
Kako za svaki problem postoji rješenje ili workaround, tako i ovdje imam nekoliko opcija pa me čisto zanima mišljenje eksperata u tom polju. Budući da se TrueCrypt nažalost odavno više ne razvija, a ja ne mogu i ne želim prelaziti s UEFI/GPT na legacy BIOS/MBR, kao alternativa se predstavlja Microsoftov BitLocker jer:
1. ne, ne želim isprobavati VeraCrypt i ostale
2. laptop u sebi ima TPM 2.0
3. koristim Windows 10 Pro Build 1809
4. BitLocker od Windows 10 Pro Build 1511 podržava encryption mode XTS-AES kao i TrueCrypt i postaje još sigurniji kad se
prebaci na 256-bit AES
Ali me muči jedna stvar, a to je odabir hardware ili software enkripcije. Sudeći po
ovom i
ovom linku, tu postoji problem kad je u pitanju kombinacija hardware enkripcije i SSD-ova jer Windows 10 očekuje da enkripciju odradi SSD, a ovaj ne radi ništa. Vraćam se natrag u Magician i vidim da tu postoji stavka Data Security.
Tražim po internetu i vidim da baš moj jadni Samsung 850 EVO taj posao kljakavo odrađuje odnosno nikako ne odrađuje i da sam prisiljen koristiti software enkripciju.
Mene sad zanima nekoliko stvari jer nikad nisam koristio BitLocker na SSD-u i na Windows 10:
1. koliko je softverska enkripcija brža/sporija od hardverske?
2. prepostavljam da je recovery u slučaju neke havarije lakši kad je enkripcija softverska?
3. kako u tom slučaju rade TRIM i wear-leveling?
4. postoji li kakva rupa zvana backdoor i slično?
5. ima li još nekih skrivenih caka?
Eto, ako netko ima iskustva s tim stvarima, bilo bi mi drago da ih podijeli. Hvala unaprijed.