too bad it's not an old spnner... just leave it on your speaker magnet overnight. reformat in the morning.

:P
Fred

On Sun, Jan 27, 2019 at 3:24 PM Patrick O'Callaghan <pocallaghan@gmail.com> wrote:
On Sun, 2019-01-27 at 15:06 -0800, Gordon Messmer wrote:
> On 1/27/19 2:44 PM, Patrick O'Callaghan wrote:
> > If it's not being read and rewritten, it's not being encrypted. It's as
> > simple as that. A cryptosystem that doesn't read the plaintext? How
> > does that work?
>
> The suggestion you're replying to didn't encrypt the drive in place.  It
> read a stream of zeros from /dev/zero, encrypted that stream, and wrote
> that stream to the disk.  Thus, nothing needed to be read from any disk.

I think the writer *thought* it was encrypting the disk. I may be
wrong, but that's what I was responding to rather than the minutiae of
the actual command.

Regardless, writing a bunch of encrypted zeroes is no better than
writing plain zeroes or writing random noise, if it's just a single
pass. I think the various answers here are actually addressing slightly
different questions. In my case I'm talking about defence against
physical-level analysis of the disk.

> However, this whole thread is questionable.  It is predicated on the
> assumption that your CPU can encrypt a stream of zeros faster than it
> can generate random data, and also that it can write to its disk faster
> than it can generate random data.  If either of those things is not
> true, then using an encrypted volume to "wipe" a drive will be slower
> and more complex, for no benefit.
>
> On my Dell XPS 13, I can read from /dev/urandom at almost exactly the
> same speed that I can write to a dm-crypt block device, so there would
> be no reason to use dm-crypt over simply dd if=/dev/urandom to the drive.

Of course.

> (But the point that I was making when I replied to this thread to begin
> with is that if you are concerned with wiping your data from drives, it
> should never have been written to the drive in an unencrypted form to
> begin with.  Encrypt your disks.  When you want to get rid of them,
> they're already as secure as your passphrase, and you can irrecoverably
> wipe them by simply wiping the key header.  It's nearly instantaneous.)

Again, I agree, but that's not what the OP asked. Telling him "you
should have started with an encrypted disk" is like telling a traveller
who's asking the way to Podunk "start from somewhere else".

poc
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org