i really am one to believe the average lay person does not need full disk encryption and verified boot on their computers

H4kii the Posnaniese

@navi isn't it better to do such than not doing this? Better be more protected then less

/etc/init.d/witch.navi

@hakki no, security isn't always a "the more the betterer", see https://social.vlhl.dev/notice/Aoc60wKogZsf8vQRpw

H4kii the Posnaniese

@navi hmm the question is what if sb will stole such laptop, this could potentially lead to dangerous situations. Imho this is also a concern about doing backups, as this would also save the data

/etc/init.d/witch.navi

@hakki for someone to steal that laptop, they have to break into his house, go all the way to the living room, and get... the laptop for data?

he's faaar from a high target, and if he were, sending him a virus which would copy the already decrypted data in the computer would be a lot easier for the attacker

such steal scenario would only happen if it were some thug trying to just steal and flip things, not caring about data at all

so, that's ouside his threat model by quite a lot

H4kii the Posnaniese

@navi what I meant is SB stealing the laptop, but without targeting - for example if your grandpa saves passwords in the browser, and there are common, there is a possibility to decrypt browser database. It does not have to be targeted attack, it is common that thiefs do not clear hard drives, and sell them as parts.

/etc/init.d/witch.navi

@hakki

> there is a possibility to decrypt browser database
there's still the possibility of decrypting the disk? it also seems farfetched that someone would get random stolen hard drives, spend who knows how long and a lot of compute power to decrypt the browser's password store, to hopefully get some useful passwords

when they can instead use leaked password stores and not have to deal with buying stolen drives and wiring them up to a machine and hoping there's passwords to steal there

Amber 🌸

@[email protected] @[email protected] also there exists malware out there today like discord token stealers that sit there targeting the password db. this attack isn't likely to happen offline. FDE is not going to save you.

Amber 🌸

@[email protected] @[email protected] if you yourself are concerned about this, that's up to your risk assessment/threat model. it'd make sense for you to want to do FDE to prevent that possibility. this is more about bitlocker coming preinstalled on OEM computers without people's knowledge.

Amber 🌸

@[email protected] @[email protected] I for one see a minimal chance of someone taking my used ssd and using it to extract passwords (keep in mind I am typing this from a system with LUKS+LVM so my disk is encrypted). This was a conscious decision I made for myself fully aware of the drawbacks. Grandma isn't going to know what bitlocker is, and certainly isn't going to think in the back of her head "i really gotta write down that code. what happens if i send my laptop in for repair and they disconnect the battery resetting the tpm? i will be locked out of my files" grandma just sends her laptop to a repair center and then she finds out the hard way what bitlocker is.

Amber 🌸

@[email protected] @[email protected] I highly doubt grandma has much on her computer worth encrypting. I, on the other hand am a professional sysadmin that uses this laptop to access client devices. I have ssh keys, passwords (stored in a password manager), and things i'd rather not have floating around. I'd prefer if some stranger (even if it was some teenager) didn't get access to my wireguard private keys to access my servers. I think this is a bit more realistic of a threat model then "what if someone mass harvested harddrives and used it to extract passwords from the browser database". Does grandma really need pictures of her kids under the same level of protection? Especially when it's super easy for her to forget things already due to age.