Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Whole OS encryption
Container within container (was Re: Whole OS encryption)
[re: whole-disk encryption]
For various reasons, I have several Bestcrypt containers.
It's a pain to mount them with the properly long passphrases
needed for good security. I was considering the possibility of
using one large container (with a top-notch passphrase) and then
having my other containers within it (with somewhat less onerous
I was wondering if anyone has done any benchmarks on how disk
access timings and/or CPU usage are affected with this kind of
container-within-a-container scheme. (I was hoping not to have to
do it, myself.) I would expect it to be about the same as a
container within an encrypted whole disk.
Another option is to use whole-disk encryption with
containers (just as you mentioned). But, the same question of
Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position
Re: Container within container (was Re: Whole OS encryption)
I have not done any performance benchmarks but there is much to be said
for encryption within encryption (i.e., partition/container encryption
within full boot HD encryption).
1) It provides considerable belt-and-suspenders backup in case one of
the two manufacturers has an implementation flaw or even a backdoor.
Obviously the two encryption schemes should not be from the same
manufacturer (e.g., Securstar) or, for the truly paranoid, from the same
country (e.g., US).
2) It's handy if the machine is shared between multiple users: each can
have his own Truecrypt (say) container with overall OS protection
provided by the shared full HD encryption. This even provides some
(limited) protection while surfing if the Truecrypt containers are not
mounted in the decrypted state. At the loss of the benefit in 1) above
but the gain of some performance, the Truecrypt containers/partitions
could be on separate drives or partitions rather than nested within the
encrypted OS partition/drive.
PS There is now a halfway-house third-party extension of Truecrypt
(TCGINA) which takes it part way to achieving the benefits of full boot
HD encryption. This extension can protect the swap file, a user's
registry hives, temp files, etc. See:
PPS An alternative way of sharing a computer is for each person to have
his own HD which is carried in one of these "caddy" affairs and mounted
in a "receiver" in a drive bay on the computer when it's his turn to use
the computer. As cheap as $20 for the receiver and $20 for each caddy
here in Canada. (It's a bit more for high quality shockproofed metal ones
rather than cheaper plastic ones.) Obviously (some/all of) the HDs could
be protected by full OTFE HD encryption with unique passwords if desired.
With HDs so cheap this is quite a workable solution for, say, a
(paranoid) family :-)