On Sun, 2019-01-27 at 15:06 -0800, Gordon Messmer wrote:
On 1/27/19 2:44 PM, Patrick O'Callaghan wrote:
If it's not being read and rewritten, it's not being encrypted. It's as simple as that. A cryptosystem that doesn't read the plaintext? How does that work?
The suggestion you're replying to didn't encrypt the drive in place. It read a stream of zeros from /dev/zero, encrypted that stream, and wrote that stream to the disk. Thus, nothing needed to be read from any disk.
I think the writer *thought* it was encrypting the disk. I may be wrong, but that's what I was responding to rather than the minutiae of the actual command.
Regardless, writing a bunch of encrypted zeroes is no better than writing plain zeroes or writing random noise, if it's just a single pass. I think the various answers here are actually addressing slightly different questions. In my case I'm talking about defence against physical-level analysis of the disk.
However, this whole thread is questionable. It is predicated on the assumption that your CPU can encrypt a stream of zeros faster than it can generate random data, and also that it can write to its disk faster than it can generate random data. If either of those things is not true, then using an encrypted volume to "wipe" a drive will be slower and more complex, for no benefit.
On my Dell XPS 13, I can read from /dev/urandom at almost exactly the same speed that I can write to a dm-crypt block device, so there would be no reason to use dm-crypt over simply dd if=/dev/urandom to the drive.
Of course.
(But the point that I was making when I replied to this thread to begin with is that if you are concerned with wiping your data from drives, it should never have been written to the drive in an unencrypted form to begin with. Encrypt your disks. When you want to get rid of them, they're already as secure as your passphrase, and you can irrecoverably wipe them by simply wiping the key header. It's nearly instantaneous.)
Again, I agree, but that's not what the OP asked. Telling him "you should have started with an encrypted disk" is like telling a traveller who's asking the way to Podunk "start from somewhere else".
poc