|
|
|
|
|
|
by ianburrell
4083 days ago
|
|
|
Whole-disk encryption is simpler, but less secure than filesystem level encryption. Block level encryption can't protect against active attacks because it doesn't have the extra space to store checksums. Algorithms are much more vulnerable when the attacker can make modifications and see the response. This makes disk level encryption only suitable for protecting against your laptop being stolen. Don't know if ext4 encryption supports it, but the filesystem could allocate extra space for checksums to verify files aren't being modified. It also could store different keys for each file or directory making it possible to lock and unlock portions of the filesystem separately. |
|
|
That means having access to the block device itself, with the system in an unlocked state.
If you've reached that scenario, then it's game over for whatever data is being encrypted.