logoalt Hacker News

bluebarbetyesterday at 10:26 PM1 replyview on HN

Yes I understand all that. I don't have secure boot, so I'm not protected against the evil-maid attack either. I know that too.

It's why I used the word "technically", by which I meant "in the absolute". What word do you propose instead? Encryption that can be worked around by anyone with skills and commonly available equipment is technically useless. It offers some protection (the thief will probably reboot or unplug) but ultimately it's null and void.

>Most people expect

This would need to be sourced. I say most people expect "encryption" to be as secure as the encryption password. In the case of an unattended sleeping computer using Linux with FDE enabled and the screen locked, it's not. I'm not sure most people know that. I believe things are different on, say, iOS. All of this was the rationale for Debian's (buggy) feature.


Replies

acdhatoday at 1:41 AM

I would talk about threat models. There’s a bunch of detail to cover but the short of it is “you’re protected when you resell the device or replace a drive” or “you’re safe from a laptop thief in a coffeeshop but not the Mossad”. How you get there is the step in the conversation after you decide which of those concerns you.