Security notes / data-at-rest encryption: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
{{#addbodyclass:tag_tech}} | |||
{{#addbodyclass:tag_security}} | |||
{{SecurityRelated}} | {{SecurityRelated}} | ||
Line 17: | Line 19: | ||
====On hard drive encryption==== | ====On hard drive encryption==== | ||
===== | =====What does it do? What does it not do? How strong is its guarantee?===== | ||
<!-- | |||
Annoyingly, this term now refers to a few completely distinct flavours of solution. | |||
Each has different guarantees, including but not limited to | |||
There are a few flavours of disk encryption, including | There are a few flavours of disk encryption, including | ||
* "enter password at boot to decrypt disk" | * "enter password at boot to decrypt disk" | ||
: means the entire computer is unusable without a master password | : means the entire computer is unusable without a master password | ||
: decent against people taking your hardware (e.g. laptop) | |||
: BUT does nothing while it is still powered on | |||
* "[[enclavey stuff]] does it for you" | |||
: great against against people stealing your storage but not your entire computer | |||
: BUT does almost nothing if they steal the whole thing (e.g. laptop), or sit down at it (any) | |||
* "protecting smaller portions at a time", e.g. a partition | * "protecting smaller portions at a time", e.g. a partition | ||
Line 33: | Line 42: | ||
: can also be tied to TPM, other hardware, or be purely software | : can also be tied to TPM, other hardware, or be purely software | ||
: User account encryption, on systems that allow it, has varied meaning and is its own topic | : User account encryption, on systems that allow it, has varied meaning and is its own topic | ||
: great to add some secrecy without a complete reinstall | |||
: BUT may have some practical footnotes (e.g. "everybody could access until I close it / reboot the thing") | |||
--> | |||
=====Do I need it?===== | |||
For a practical view, see [[Security notes - security for the everyday person]] | |||
=====Practical side===== | |||
<!-- | |||
Line 272: | Line 294: | ||
--> | --> | ||
====Online encrypted storage==== | ====Online encrypted storage==== |
Latest revision as of 00:27, 21 April 2024
Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.
Data at rest, or data in flight
Encryption generally protects either data only at rest, or data only in flight (e.g. HTTP / TLS).
Why not both? While you could base both on much the same underlying code, they are different purposes, and have practicalities different enough in the security and privacy implications, and how to use them well for those purposes.
You might as well have two different specializations.
On hard drive encryption
What does it do? What does it not do? How strong is its guarantee?
Do I need it?
For a practical view, see Security notes - security for the everyday person