2

A group of LINUX servers is using dm-crypt to encrypt data. The servers do not store data long-term but are only temporary stopping points for data before it is sent to other systems. The time the data is saved to disk on the server is typically minutes, but at peak time or if there are downstream outages could be several hours. I have heard that the full disk encryption helps protect against malware threats, specifically in this case a malware which could programmatically copy the information while it was temporarily saved on the servers. Could anyone please let me know if this is true as I have not been able to find confirmation?

user4755220
  • 619
  • 1
  • 6
  • 5
  • 1
    malware tends to run on an active machine, accessing files from a decrypted drive (or through a process that decrypts it, like the OS) - so, I'm not sure how FDE can protect from malware – schroeder May 28 '15 at 17:01

2 Answers2

3

If the malware is copying the files after they have been written to the disk and without requesting the files through the filesystem (which will decrypt them), encryption will protect them.

If the malware is intercepting the files before they are written to disk or is accessing them through the filesystem encryption will not help.

Encryption only protects against someone accessing the data without going through your OS (eg. removing the physical disk and attaching it to their machine).

ztk
  • 2,247
  • 13
  • 22
  • 5
    While your answer is technically correct, I think that it doesn't sufficiently point out that the odds are *very high* that encryption will not help whatsoever. – Neil Smithline May 28 '15 at 17:37
2

I have heard that the full disk encryption helps protect against malware threats, specifically in this case a malware which could programmatically copy the information while it was temporarily saved on the servers.

Full disk encryption does not protect against anything that uses the OS interfaces to read and write to the device in question while the system is running and the device is unlocked. The OS interfaces don't differentiate between CryptoWall and PGP, nor do they differentiate between a foreign country's intelligence service (which is somehow impersonating you to the operating system) and you.

What full disk encryption does protect is data at rest. The threat model for FDE products, including Bitlocker, LUKS, dm-crypt, and others, is basically: someone who is able to grab an unpowered storage device and run. As an extension to this, their threat model also includes someone who is able to physically access a running system and get hold of a storage device in a way that shuts it down, or someone who is able to copy the data on the device without copying the privileged memory contents of the running system.

A full disk encrypted storage device is either fully accessible to software running with sufficient privileges, or not meaningfully accessible to any software. In other words, as long as anything running on the computer is able to access the files, anything else running on the computer will also have similar access to those files. (File permissions enforced by the operating system may get in the way, but are not affected by the fact that you are using full disk encryption per se.)

As a consequence, full disk encryption offers no meaningful protection against malware.

user
  • 7,670
  • 2
  • 30
  • 54
  • +1 for mentioning data at rest security. All too often I see people completely fail to see that that is the point of FDE. – forest Apr 07 '16 at 23:51