Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)

[Dave Howe]

Jim Choate wrote:
> On Sat, 8 Feb 2003, Sunder wrote:
>> In real life this will not work as most Windoze hard disk encryption
>> schemes can't encrypt the OS disk - and this is where the temp/cache
>> stuff goes.
Not always - certainly, windows cache goes to a partition that must be
available at windows startup - but webbrowser cache can happily live on an
encrypted disk (I have done this many times)
Further, there is always the Drivecrypt pluspack which mounts an encrypted
volume before windoze starts, and hands over to windoze as it comes up (I
believe the same mechanism is used as for doublespaced drives, but I can't
be sure; drivecrypt is closed source, hence I refuse to use it)

>> At least with a unixish OS you can mount your crypto file systems up
>> at boot time before the OS really starts up (before the system goes
>> to multi-user mode for example (at the end of /etc/rc1.d and before
>> the rc2.d init starts.)
> Which is a blind path since those files -must- be unencrypted and if
> they do mount the disk they have to have access to the key to
> unencrypt the fs hence you're in the same boat as with Winblows.
At least in theory a lilo boot could mount an encrypted partition while
still in the initrd stage; as crypto support is moved into the kernel, I
expect to see this become an available option.