On Thu, Jun 16, 2022 at 08:18:16PM +0300, an2qzavok wrote: > >do not roll your own crypto > I believe this refers only to inventing your own algorithm, just > writing your own implementation of existing and tested algorithms is > fine. >
As I tried to point out with the MAC example, cryptography is full of subtleties. Even using proven algorithms and plugging them together inexpertly can create an insecure system. In that example, someone had used AES in CBC mode with FIPS padding and some SHA-2 HMAC. All of these were state of the art when the system was designed, and some still are. > Though, is encrypted root partition even desirable? > Since it only keeps your data safe when your machine is powered off, I > always thought of system disk encryption as snake oil at worst and at > best just not worth the effort. > Snake oil refers to a means that does not do what it says it will. Virus scanners are snake oil because they cannot possibly detect all malware prior to execution, and then the system is compromised. Malware removal is snake oil, because it attempts to fix a compromised system while you don't know what components have been compromised. So how can you have any confidence in the result? Anything the program uses to find malware may also have been compromised. Disk encryption is not a snake oil. It will prevent your data from being stolen when the system is off. This is useful, for example, for a laptop, or in case you are worried about burglars or law enforcement taking your computer. It will not help you with exploits targetting any software you have running, yes, but there are other tools for that. Ciao, Markus
