On Sat, 24 Apr 2004, Bill Stewart wrote:
That's really overkill. Computers these days have enough horsepower to run file system encryption in the CPU.
That's true, but it's possible to get access to the key in memory. Once the machine is compromised, the keys are leaked. It's true that when the machine is compromised the plaintext data may be leaked, but it's more difficult to inspect and transfer couple gigs of data than just the key and then come and haul away the machine. Or to compromise the encryption software itself. It's much more difficult to do that with a hardware unit (and much more difficult if the case was eg. spot-welded - you still can get inside using power tools, but not without visibly damaging the case). Another advantage of a pure-hardware solution is independence on software, thus no risk of present nor future incompatiBILLities.
If you want to get fancy about rubber-hose prevention and avoid the except-for-terrorism clause in the 5th amendment, you could do something with secret-sharing with your unindicted co-conspirators (oh, wait, they don't bother with indictments these days, do they?) so that all of you need to cooperate in a challenge-response thing to restart some of the services.
I'd suggest a m-of-n scheme because of reliability issues. It won't be good to lose all data because one of the co-conspirators died in a car crash.
Or you could hide that little 802.11 widget on the shelf that stores one of the keyfiles you need to access the secure drive. Once UWB's widely available, it'll be better for that (lower power - harder to detect.)
A 802.11 standalone data storage unit (I think they're on sale already) hidden under the floor, over the ceiling, or between the drywalls could do the job nicely.
Just make sure that your system _is_ restartable after power failures, because those are a much more likely event than cop invasions.
Reliability vs security is a big dilemma. Maybe a good approach could be forgetting the key if the machine is moved without telling the processor guarding the key that it should stop watching a movement sensor for a given time interval, or after entering a wrong (or kill-) PIN? A power blackout then won't affect the operation, but switching the equipment off and hauling it away would destroy the keys. Same as an attempt to bruteforce the access code, or opening the machine case by force.