On-disk encryption

Jun 6, 2014 at 9:40 PM
Edited Jun 6, 2014 at 10:50 PM
We've been asked whether we plan to encrypt on-disk. Currently: no. It is (we have argued) a platform responsibility.

FWIW, Groove did encrypt on-disk. So it depends what you mean by that slippery word "platform." Groove saw itself as the kind of platform required to take on that responsibility. Thali doesn't. I think both views are valid but it's good to spell things out.
Jun 6, 2014 at 9:54 PM
Actually I'm glad you brought this up because this was bugging me. The justification we were given for on disk encryption of the files (on a device that isn't otherwise encrypted) was:
  1. The user would be required to use a smart key or hardware token to decrypt the database file at run time
  2. This would mean that the database files were only vulnerable when the hardware token/smart key was around
Last night I was thinking about this and I'm pretty sure this argument isn't valid.

There are exactly two ways that the database could be compromised. Either a human did it or it's programmatic.

If a human did it then it means that a human was able to physically get access to the machine while the hardware token/smart key was in use and get the file out. A related version would be that the human has legitimate remote access to the machine and legitimate access to the user's account and uses that to copy out the files while the hardware token/smart key is in use.

If the attack is programmatic then it just means that the malware hangs out until the files are decrypted and then steals them.

Personally I find the second attack much more likely than the first in which case the defense of encrypting the file (but not the device) seems largely worthless.

But I'm happy to believe I'm missing something.
Jun 9, 2014 at 12:46 PM
Perhaps unrelated to the justification we were given, but device encryption isn't always possible or easy. Even when it is, it's a big step to take. Plenty of Groove users who were unable or unwilling to encrypt their whole disks were nonetheless grateful that Groove encrypted their shared spaces.
Jun 10, 2014 at 3:38 AM
My argument is that encrypting a file and not the machine is 100% false security. As we say in the security business "the only thing worse than no security is false security."