I use Fedora Linux and was recently looking into doing Full Disk Encryption on data drives such as /home
on some of my / my family's PCs. I understand that LUKS security will be partially dependent on having strong passwords and not doing very obviously stupid things (saw some articles where people were auto-unlocking an encrypted /home
partition during boot by passing a keyfile located on an unencrypted /
filesystem - which anyone with a livedisc could also use those to open the LUKS container).
The main reason why I am concerned was that while googling various things about LUKS / its settings, I came across this Elcomsoft article which talks about breaking LUKS encryption. If that wasn't bad enough, I also saw they had a similar article about breaking Veracrypt... so I am at a loss as to what I should use for FDE.
I admit that most of the infosec stuff is over my head. But I'm still not clear if I can make those solutions secure merely by tweaking settings/algorithms/etc or if the flaw was with something in the projects themselves (I thought it sounded like the latter). On the one hand, the article itself says that
LUKS can be viewed as an exemplary implementation of disk encryption
But the scary part is in the "Breaking LUKS Encryption" sections and how they make it sound like it is very easy to do with their software.
Trying to google was likewise unhelpful as all of the information I could find on "how secure is LUKS?" etc either talked generically about the underlying crypto algorithms or was dated before the Elcomsoft articles. But my reasoning is that in this day and age, it is probably a bit naive to assume that all thieves that might "smash-and-grab" a PC or hard drive from someone's home are going to be technical neophytes. The cheaper of the 2 products mentioned in the LUKS article appeared to be $300 USD. Not chump change but also not unaffordable by any stretch if someone really wanted to get in.
My initial guess based on these is that FDE with LUKS/Veracrypt would still be "better than nothing", but if I was unlucky and tech-savvy thieves nabbed my PC then data like Tax Records etc might not be protected. Likewise, anything I had almost certainly would not be protected from government entities or law enforce if they have access to the Elcomsoft products or similar software. Assuming I don't piss off anyone in power, the most I probably have to worry about from the "gov'mint" is saving memes or maybe keeping an offline copy of a few youtube videos... but it is troubling to think that it is so easy for FDE to be defeated.
Am I reading this wrong / is it just sales "spin" from Elcomsoft trying to market their product? If it is as easy to defeat as they make it sound, then can anything be done on the end user end to better protected against? If so, what / how?
When I see things like
Up to 10,000 computers and on-demand cloud instances can be used to attack a single password with Elcomsoft Distributed Password Recovery.
The first thing that goes through my head is to wonder if I can configure LUKS to only allow at most X
attempts per minute, with X as some small number like 3
. But AFAIK this option does not exist and is nothing more than a dream...