I ask this because encrypting an hard drive using LUKS takes a few seconds while encrypting the same drive using Bitlocker takes several hours. Does that mean LUKS encryption is weaker?
Asked
Active
Viewed 6,830 times
2
-
1This edit to question doesn't represent OP's intention. – ferit Aug 23 '16 at 11:46
-
1I concurr with Saibot and rolled back André Borie's edit because the original question had nothing to do with overwriting free space. Overwriting of free space may be one point to bring up in an answer, but that doesn't make it a part of the question. – user Aug 23 '16 at 12:05
2 Answers
5
If you don't select overwrite empty disk space option with LUKS, it is quick and not quite as secure. You are comparing LUKS's quick, less secure usage with Bitlocker's secure usage.
If you selected this option already: Check your disks maximum possible write speed, divide disk size to this speed. That is the minimum time overwriting can be completed. If overwriting ends quicker than this, it means there must be an error and process terminates earlier.
Example: Let's say you have 240GB SSD with maximum write speed 500MB/s.
Then minimum time is: 240GB / 500MB/s = 480s
-
I actually use that option. But it still encrypts in seconds / minutes and I found it strange. (I bought a new ssd recently. Is there any problem on overwriting methods?) – user122024 Aug 23 '16 at 11:34
-
-
-
1It would be good to know the dangers of not encrypting empty space. If it is just about that somebody knows how much data is encrypted on the drive, then I think it does not matter in most of the cases. – inf3rno Dec 24 '17 at 10:37
-
1perhaps this line from fedora https://fedoraproject.org/wiki/Disk_Encryption_User_Guide might help: "Filling a device with random data prior to encrypting improves the strength of the encryption. However, it can take a very long time to fill the device with random data. It is because of those time requirements that anaconda does not offer this option. This step can be performed manually, using a `kickstart %pre` script. Instructions can be found here https://fedoraproject.org/wiki/Disk_Encryption_User_Guide#new_key." – Timothy L.J. Stewart Dec 04 '18 at 02:46
3
If you do not overwrite the partition's free space, it's possible for an attacker to do two things:
Scan the partition and view unencrypted data in places where you haven't written yet.
Compare blocks that contain unencrypted data versus encrypted data and estimate how much data the volume has, or how long it has been used.
New data written to an encrypted volume will still be encrypted, and inaccessible without the key, even if you don't overwrite the free space.
You should always overwrite a partition if you don't ever want the underlying data to be accessible again, whether or not you are encrypting the new volume.
LawrenceC
- 224
- 1
- 5
-
3Or just compare the amount of obviously empty (zero) areas against the ones that contain random data (encrypted data). If the disk was empty to begin with, not overwriting it only leaks the amount of data used. Which might not be that critical, but it depends on the user. – ilkkachu Aug 23 '16 at 11:19
-
I actually use that option. But it still encrypts in seconds / minutes and I found it strange. (I bought a new ssd recently. Is there any problem on overwriting methods?) – user122024 Aug 23 '16 at 11:35
-
I'm not sure of the interaction between LUKS and TRIM but that may be involved. – LawrenceC Aug 23 '16 at 14:28