

"Evil Maid" Attacks on Encrypted Hard Drives - mbrubeck
http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

======
Torn
Discussion of original article here:
<http://news.ycombinator.com/item?id=884957>

Schneier's gloss doesn't add much.

------
tptacek
... miss the point of full disk encryption, which is to avoid having to notify
the news media when a drive that may or may not contain social security
numbers is stolen out of the back of a car.

------
amalcon
If you really want to stop these sorts of attacks, the good old "boot disk"
technique is the beginning and the end. Using a TPM for this is overkill, and
arguably less secure.

Many laptops now have SD card slots that could be used for inexpensive boot
disks. A USB dongle would also work. Take the boot disk (that has the key on
it) with you when you leave your computer. Encrypt everything else.

Even that doesn't stop the $5 wrench attack (well, unless you anticipate it
and flush the SD card down the toilet). The _actual_ best thing you can do is
just not keep sensitive data on your laptop.

~~~
ggrot
Maybe I'm dense, but what is the $5 wrench attack? Attacking you personally
with a wrench until you agree to show me the sensitive data on your machine?

~~~
die_sekte
No, actually attacking you personally with a wrench until you show me the
password.

See: <http://xkcd.com/538/>

------
jeremyw
A side note: two-factor authentication (smartcards, etc) -- which minimizes
Evil Maid exposure -- is unsupported on the OSX version of PGP Whole Disk
Encryption.

Let's pester their support staff to add it.

