Not sure of the pros, I only see cons...
With software encryption you get updates in case vulnerabilities are discovered and such. With hardware... I guess you might get them if you think to check for them? That sounds like a pain though. Also if the algorithm used suddenly becomes obsolete because of new discoveries, you're now left with a very expensive unsecure disk?
But I'm not very knowledgeable in encryption so I might be wrong.
SSDs can get firmware updates like anything else.
Check Nitrokey Storage 2 but note that 16GB will cost you 100EUR and 64GB 200EUR which makes for an expensive USB stick. That means it is ONLY for things you want encrypted. It's not for your stuff you could download back from the Internet (obviously) but also not for your holiday pictures. It's for the very few things, like your SSH keys to access other machines, that truly matters. In such cases then IMHO then it's actually a lot of space.
That being said it's :
Details https://shop.nitrokey.com/shop/nitrokey-storage-2-56#attr=2
I was thinking more of like a Tamper-Resistant Boot Drive with a computer being Full Disk Encrypted, And I basically phisically carve my signature into the Hardware-Encrypted drive and always check to make sure its mine and that it hasn't been replaced, then I unlock it in Read-Only mode, then I plug into a computer to select the bootloader on the USB drive to turn on the computer.
Basically its a Evil-Maid-Resistant setup.
Of course, someone with actual NSA or FSB skills are gonna get in, but its just so the average script-kiddie can't just download some tampered bootloader online and easily replace the bootloader.
And also I can store like a Linux Distro and Windows installation media on there and know its its much more difficult to tamper with.
Does this work against the threat?
the average script-kiddie can’t just download some tampered bootloader online and easily replace the bootloader.
Can you provide me with an example of that threat with which setups are affected by that?
I mean with physical access.
People living with you.
Or when you want to travel (domestically).
Someone who doesn't need much experience can access the hard drive / SSD and replace the bootloader.
I know it probably doesn't happen often, but this is more of a personal fear thing, I have trust issues with people.
Living alone is too expensive and thus I either have to stick with family, or split rent with random strangers as roommates, not to mention, some landlords can be creepy and do weird things. I don't have trusted friends who can like live with me as a roomate and split the rent.
So anyways, I'm with parents, and I want evil-maid protections for peace of mind, since I can't afford to live alone. (I mean like they are not dangerous criminals or anything like that, they're just fucking nosey and I don't like to find out how much do they want to spy on my online activities).
For phones, its already too locked-down and hard to modify so I'll just trust the verified boot to do it's job.
For computers, its too easy to edit the bootloader on the disk. So I think putting the botloader on such an encrypted USB and put it in read-only mode would protect against tampering with the bootloader.
I probably sound paranoid af right?
Basically, my threat model prioritizes preventing weirdos fucking with my electronics more than anyone else.
Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.
...
I probably sound paranoid af right?
Well, all your points are fair but IMHO the intersection does not exist.
Namely, yes, some people living with you might want to access your files somehow... but able to change the bootloader? Even knowing what a bootloader is? I don't know if your friends or parents are ICT professionals but otherwise, I would be that's not plausible.
Consequently I do recommend you protect yourself, yes, but IMHO the threats are much MUCH lower than that. Namely... maybe checking the last open files or even "just" your browser history is what a typical person might consider, not changing a bootloader.
So... I would personally start with that, e.g. encrypted disk yes, with strong password or even physical token login, e.g. NitroKey or YubiKey. They should never have access to your unlocked computer but once it's locked, in theory there should be no practical way to access files. I insist on the practical word because... I wouldn't imagine parents or flatmates to have access to a cluster of machines to crack encryption.
I don't trust any of those SSDs not to have backdoors, it's not even a hypothetical, we know that hardware encryption on SSDs have been broken in the past. In fact, I wouldn't even be surprised if the manufacturer is just storing all the keys they bake into the SSDs, why wouldn't they from a business perspective? At least with software encryption you can audit the code and the keys are actually generated randomly on a computer you own.
Also, if your SSD hardware fails, it could become impossible to decrypt any recovered data because the encryption keys are likely stored in the processor with no way of getting them out (and no manufacturer who is secretly storing the keys is going to blow their cover by helping you recover your data). With software encryption, you can back up your encryption keys and will be able to actually decrypt the raw data you read from the drive.
What about https://certification.oshwa.org/de000007.html then? Audits like https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit have been done and you could run your own.
Yes. Same use case as any removable drive, but encrypted. And the encryption is system-agnostic, so you don't need any special software on the system to mount it.
From going do the rabbit hole with recently learning freebsd. Is that every good brand nvme ssd has a default password for hardware encryption and you can use certain software to change the default encryption key. However basically everywhere i read online said that hardware based encryption is rarely/never implemented correctly. So an attacker still can most likey retrieve data from the ssd, so basically software encryption will always be more bulletproof. Because people can steal your ssd or clone it and all data on it is useless without a header and key. If using full disk encryption, So basically software based encryption will always be alot harder to break than hardware encryption.
I have a related question: Isn't hardware-based encryption faster than software-based? Or is that just an assumption on my art?
That's almost always false unless the hardware is faster and thus more power hungry and hot than your CPU. That's rarely true. Some fpga accelerator? Maybe. GPU/TPU? Sure. Your hard drive? Not a chance that it would have even remotely competitive processor.
The point of hardware acceleration is usually that your CPU doesn't need to do a task so there's less CPU load and it can spend that time running applications or respond faster.
The short answer is that: all other things being equal, it will always be faster and cheaper to do things dedicated in hardware. Comparing one implementation to another, however, is always going to be an "it depends"
An example of this:
Bitcoin mining started on cpus, then moved to gpus, and now exists on dedicated asics.
A $200 GPU vs a $200 ASIC, the ASIC is going to be a faster sha256 calculator
A $2000 GPU vs a $200 ASIC, the GPU is going to be a faster sha256 calculator
A $200 GPU from today vs a $200 ASIC from 10 years ago vs a $200 CPU from today?... You get the idea.
There's no way to know without specific details which will be faster. You could be running software encryption on a raspberry pi from 5 years ago or the drive could be running an encryption ASIC from 10 years ago, etc
I liked your explanation; you said it better than I ever could have.
You know what Lemmy needs? Some sort of reward... something... we could call it "Lemmy Gold." Then monetize it.
Kidding about the second part, sincere about the first. I will, however, repeat: Lemmy Needs Comment Emoji Reactions.
happy to help!
🤡
What client are you using? I don't see that in Voyager, or on the Lemmy web interface
Edit: Oh. You're saying you can put emojis in replies? That's not the same thing. Think github reactions: they don't pollute the comment thread with noise; they just annotate a given comment with emoji reactions and counts.
I want to be able to give a comment a thumbs up, not reply to a comment and type a single-glyph response.
Probably not by much, since CPUs have had hardware acceleration for AES encryption for a long time now.
I always prefer software over hardware for encryption, RAID, etc.. Because it's portable and not tied to a specific piece of hardware.
Most software has hardware acceleration. AES has been in Intel processors for over a decade, for example.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
much thanks to @gary_host_laptop for the logo design :)