←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
189 points arjvik | 9 comments | 17 Jan 25 03:00 UTC | HN request time: 0.001s | source | bottom
Show context
acheong08 ◴[17 Jan 25 04:12 UTC] No.42733994[source]
I don't understand why anyone would use passwordless disk encryption. It just seems inherently vulnerable, especially with the threat model of physical compromise.

Entering a password on boot isn't even that much work

replies(19): >>42734012 #>>42734073 #>>42734132 #>>42734171 #>>42734304 #>>42734370 #>>42734375 #>>42734397 #>>42734516 #>>42734734 #>>42734841 #>>42734892 #>>42734925 #>>42735445 #>>42736160 #>>42739068 #>>42740673 #>>42741392 #>>42742256 #
1. Hakkin ◴[17 Jan 25 04:36 UTC] No.42734132[source]
If a disk is encrypted, you don't have to worry about the contents if you eventually have to RMA or dispose of the disk. For this use case, it makes no difference how the encryption key is input.
replies(2): >>42734927 #>>42735538 #
2. tommiegannert ◴[17 Jan 25 07:19 UTC] No.42734927[source]
I'd guess the most common scenario is for someone giving away the entire computer, not fiddle with components. Or theft of the full machine.

This feels like one of those half-security measures that makes it feel like you're safe, but it's mostly marketing, making you believe *this* device can be both safe and easy to use.

replies(1): >>42745440 #
3. megous ◴[17 Jan 25 09:12 UTC] No.42735538[source]
Encrypted data are noise now, maybe, but may be decryptable in the future with advances in computing.

So all this depends on what you worry about.

replies(2): >>42737244 #>>42737310 #
4. ◴[17 Jan 25 13:23 UTC] No.42737244[source]
5. HPsquared ◴[17 Jan 25 13:31 UTC] No.42737310[source]
Most of this concern is around certain public key cryptography algorithms which depend on math problems being extremely hard to solve but could in theory be mathematically solved (decrypted without the key) with a good enough quantum computer.

Disk encryption (AES etc) is symmetric and still only brute-force would work which can be made infeasible with a long enough key.

replies(1): >>42738213 #
6. Avamander ◴[17 Jan 25 15:02 UTC] No.42738213{3}[source]
Brute-forcing symmetric encryption is a somewhat silly concept anyways, because each decryption is equally valid.
replies(2): >>42738267 #>>42742119 #
7. tibordp ◴[17 Jan 25 15:06 UTC] No.42738267{4}[source]
That's only true for information theoretically secure algorithms like one-time pad. It's not true for algorithms that are more practical to use like AES.
8. cesarb ◴[17 Jan 25 19:13 UTC] No.42742119{4}[source]
> Brute-forcing symmetric encryption is a somewhat silly concept anyways, because each decryption is equally valid.

Each decryption is equally valid as long as the key has the same size as the data. What happens, in practice, is that the key is much smaller than the data. Take a look at your filesystem, it should have hundreds or thousands of bytes of fixed information (known plaintext), or an equivalent amount of verifiable information (the filesystem structure has to make sense, and the checksums must match). That is: for a large enough filesystem (where "large enough" is probably on the order of a small floppy disk), decrypting with the wrong key will result in unrecoverable garbage which does not make sense as a filesystem.

To give an illustration: suppose all filesystems have to start with the four bytes "ABCD", and the key has 256 bits (a very common key size). If you choose a key randomly to decrypt a given cyphertext, there's only one chance in 2^32 that the decryption starts with ABCD, and if it doesn't, you know it's the wrong key. Now suppose the next four bytes have to be "EFGH", that means only one in 2^64 keys can decrypt to something which appears to be valid. It's easy to see that, once you add enough fixed bytes (or even bits), only one key, the correct one, will decrypt to something which appears to be valid.

9. lukeschlather ◴[18 Jan 25 03:06 UTC] No.42745440[source]
It's pretty fast to destroy all the keys in a TPM. Should take a minute if you know the right place to go. Meanwhile securely deleting a normal drive requires overwriting every sector with random data, which could take hours. So it also helps if you're giving away the whole machine.