One of the highest on this list is the full disk encryption, which security experts are sacrosanct, a fact that everyone deserves to use at least. It’s encryption that ensures that someone copying your device may not know everything they’ve recorded on it.
I’m here to argue that most of you would be better, right? I know this might sound crazy, since I’m the kind of security here, but pay attention to me.
There’s no way I’m going to deter it from encryption: without it, the virtual machine we depend on every day would be unusable. That’s why I’m not opposed to encryption, period; but in particular opposite to full disk encryption, and only for certain users.
What I help is that for most people who face maximum non-unusual use cases, all disk encryption is excessive. These users do not have a measurable security gain over other encryptions of knowledge at rest, however, they pay for it with a measurable effect in terms of performance. It is not only a power or charging time query, but also an increase in prices for users.
In general, full disk encryption is implemented at a point of PC complexity that deals with how uncooked bytes, decoupled from the data rendering context, are organized on the hard disk. We’ll call it the block device point, because full disk encryption is implemented on the block device, which is a hard drive partition (just a call for a giant segment of your hard drive).
This point is above the point of the electrical signal, but under the registration formula, the latter being the point at which your PC sees the bytes as byte-only records. The record formula serves as a type of organization chart that tells your computer how to know which bytes pass in combination to construct records and how to distinguish records and record types.
So what exactly is this disk encryption that is a full disk encryption?
The answer is log formula point encryption. Below the log formula point encryption, also known as “record-based encryption”, a formula encrypts secure directories (that is, folders) and all the records and directories they contain, recursively until the entire directory eventually contains. Encryption on the log formula point can also encrypt a complete log formula, automatically protecting everything stored in it. However, for our purposes, we’ll look at the type of log-based encryption that allows users which logs and directories to encrypt, leaving the rest alone.
To be precise, the style I have in my brain is one that encrypts only user documents, media and other files that, in Unix formulas, would end up in the user’s sub-repertoire under the /home directory. In this way, you leave fundamental formula files and binaries of software to run formulas and only protect your real nonpublic knowledge.
This, as the call suggests, occurs at the log formula point, which is a higher point from which full disk encryption is operational. This has vital implications. For starters, all your encrypted records are already records, which means they can be decrypted individually.
It also allows users to create log encryption with record authorization controls. Because the entire disk is encrypted with full disk encryption, a user who knows the disk decryption password will have to enter it before anything else can continue. But with user records, all records that the operational formula you want to execute are also locked. A successful start requires that the entire block device be unlocked, and once the disk is unlocked, everything is open.
To understand why, let’s take a look at how encrypted block devices (such as flash storage) work. Like a reminder of terminology, “encrypted text” is the encrypted form of a form, which is unreadable without the correct type key, while “clear text” is a form in its original and perceptible form.
When you decrypt encrypted knowledge at rest, your PC does not literally replace each and every bit of the hardware that stored the ciphertext in the uncooked text. It would take too long and cause your disk to burn in a short time after writing to the entire disk every time you start and turn off your device. Instead, the physical bits of your drive remain as they are, however, they are read and written through a buffer that exists in memory once the correct key is applied. The buffer applies a decryption operation when reading the data and an encryption operation when writing it to the reader. While decrypting and reading your knowledge, the loose text is stored in memory so that it can be referenced without problems until you are finished.
Adding those many additional steps particularly slows things down compared to unencrypted reads and writes, through a thing of ten. For full disk encryption, every single thing you do on your PC should be read in this decryption buffer, because your entire block device and its contents are encrypted. Basically, this includes all the binaries that run the operational formula itself and all the software it contains.
But with the settings we have selected for file-based encryption, only user documents and media files want to be decrypted. Most of the software you use on one basis is not a component of those files. There are many PC responsibilities that would not want to decipher anything. For example, we live so much in our Internet browsers that you can probably count on the one hand the number of user files you have opened in the last 24 hours.
Obviously, your PC will have to decrypt some data, but even then, as encryption is implemented at the log formula level, its log-based encrypted operational formula can do it more successfully than the analog encrypted on a full disk.
Ultimately, any access to the disk, whether it’s a fully encrypted disk or an encrypted disk through a registry system, requires approval from the central operating system, the kernel. However, because encryption in full disk encryption is controlled at the point of system administrative privileges, the kernel will also have to worry about reading the block device through the decryption buffer.
Again, the encryption in the paints for full disk encryption is located at the point of the block device, which only sees evenly sized byte blocks. However, not all knowledge occupies a whole block. In fact, the maximum doesn’t. Therefore, block point encryption counteracts the PC’s built-in power mechanism that only adjusts the parts of a record that have changed. Without full disk encryption, a computer can compare the updated edition of a reminiscence record with the previous edition on the drive, find out what parts are now others, and write those other new parts to the registry.
Your PC can also achieve similar write storage with log-based encryption: when you update the transparent editing of your memory record, the log is filtered through the encryption buffer and temporarily stored in memory, then the operational formula compares the new encryption edition to the last encrypted edition on your disk to find out which bits have been replaced and only writes them.
In this model, the operational formula knows which parts of the record have changed, however, because encryption is done by block and not by logging, the operational formula will now have to translate the records into blocks, encrypt the block, and write the blocks to the block device. Revisions to a record that do not fit the price of a knowledge block can be enlarged into several blocks, all of which must then be filtered through the encrypted buffer and rewritten in its entirety on the block device. Even if all modified knowledge is stored in a block, the entire block is rewritten, resulting in significant write overhead.
By its very nature, log system-level encryption provides flexibility where the full choice of disk does not. As mentioned above, the full disk encryption is all or nothing. Encrypts your entire system, fundamental records and all user knowledge. This non-sensitive knowledge that needs to be loaded faster (e.g. video or audio media to edit) is affected by slowing playback and writing.
Full disk encryption is also not ideal for multi-user formulas, such as a shared home device. Anyone who needs to use the device deserves to know the full disk decryption password, in a different way, the device can’t even start in the operational formula. And unlocking the device for any user unlocks the knowledge for all users. It also means that you cannot activate features such as unelegable “guest” accounts that can use the operational formula with access to locked user files.
Finally, file-based encryption is more moderate for what others need. I myself said that security has its drawbacks, and that’s true. But when designing a set of security practices, taking more inconvenience than mandatory to mitigate the attack threat doesn’t help. In fact, it only hurts: if a user’s security procedures are too cumbersome, that user will take shortcuts.
It sounds bad, and it is, but it probably wouldn’t happen to you either. Actually, most or none of its parties to the conflict will prove it. They are so primitive that the encryption in the registry formula is enough to frustrate them, or they are so complicated (i.e. powerful) that they have more effective strategies to get their data.
Conversely, if your opponent is a government authority (e.g. law enforcement), neither file-based encryption nor full disk encryption will save you. Depending on your jurisdiction, you may be legally ordered to unlock your device. Almost everything else, governments can factor on on-premises orders that buy their knowledge in their cloud to simply deliver what they need, and under repressive regimes, let’s say they have more direct and painful tactics to enforce.
Let’s say, for reasons of argument, that you are creating a government actor and that all the previous techniques have not worked. Full disk encryption would only work if the government did not have a more complicated way to attack your system. This is not a challenge for the world’s toughest governments, as they are complex enough to force or circumvent encryption in one way or another.
So, there are many cases where the full disk encryption will really save it: when your enemy is a government and can withstand physical torture, however, the government can’t hack the really cool action movie that essentially every and every G20 country can do.
The main explanation why it is that the main operating systems of the clients are already encrypted throughout the disk. Apple and Google have set up their mobile devices for full disk encryption and deny users the option to turn it off. Apple and Microsoft also allow full encryption of the default drive, but offer tactics to disable it for the intrepid.
For Linux-based desktop operating formulas (my non-public preference), installing your formula with encryption at a record formula point is as undeniable as checking a box, but temporarily going in the dodo direction. Ubuntu recently discouraged this installation option in its graphical installation program, leaving Linux Mint as the only distribution I know and still offers it. Even DIY distributions like Arch Linux discourage you from looking to set cryptography to a record point. Instead, they direct it to mass encryption, for which the documentation is much more complete.
If you are able to succeed in the lengths needed to disable full encryption of your disk, there are features you should have for you. One of the most physically powerful features is VeraCrypt. Born of the preference to put on the mantle of expired TrueCrypt, VeraCrypt is a graphical tool to create encrypted directory structures on an existing registry system. It offers functions for read and write speeds comparable to those of unencrypted logging systems, and even super spy functions such as detectable encryption, where your encrypted knowledge will be seen as an unused general area on your disk. An exploration of VeraCrypt’s even basic capabilities would exceed the scope of this long-running article, but may have the ingredients of a long-lasting article.
So why did I take all this time to communicate anything other than the maximum (but not least) accessible? Basically, it is vital to know what is imaginable so that you can make the maximum informed decisions, to create the fun of the PC that is as productive as possible for your needs. Computers are infinitely customizable, so there is no explanation for why a user is denied settings that fit their maximum productivity; not knowing its functions is the worst explanation.
Related stories
News alerts
More on the technical blog
More titles through Jonathan Terrasi