RE Re: Ubuntu ISO Testing team: New build notification-why encryption support is needed
Luke Kuhn
lukekuhn at hotmail.com
Wed Nov 30 04:10:08 UTC 2011
Yes there is a reason why encryption would be used with ubuntustudio: Dissident, protest and political opposition media makers. I make video and audio news and opinion media for progressive movements in the US. There have been grand jury subpeonas (which people like me do NOT comply with) and police raids on activist media maker's homes. One of those raids in 2008 stole a computer with Ubuntustudio Hardy from my house-fortunately one with the media files on an encrypted partition! They never returned for a second computer or hard drive, other evidence suggests they were never able to penetrate the encryption.
Other dissidents in other nations have it even worse. In some countries, a dissident media maker with an unencrypted machine could get people killed. In my country he could get someone called before a Grand Jury or arrested and charged with any of a variety of offenses. Therefore, photographic, video, and audio workflows need to be on fully encrypted sytems in my line of work, without every activist media maker having to learn to be a hacker as well, like I had to (but would have anyway). All of my systems are encrypted, for obvious reasons.
When I did my 64 bit reinstall from a vanilla Ubuntu disk I had no trouble installing to existing encrypted partitions, but then had to wait over 5 hours for all the media software I use to download over a slow connection. That was followed by hours of custom configuration, all of which a default Ubuntustudio install (like what I started from in Gutsy so long ago) saves typical end users.
Due to dangers facing some media makers (even mainstream media in some places) there needs to be as litle deterrent as possible to a new user selecting encryption, otherwise people in positions like my own, setting up for the first time and never having faced a police raid, will say "why bother" until it is too late. I've seen entirely too much of that, and that's what keeps the raids coming. While "anybody" can install Ubuntu, Ubuntustudio or any other distro on encrypted disks themselves, that's not the same as anybody who is simply an end user making media being able to do so.
Unfortunately I do not have the Internet bandwidth anywhere (at home of on the road) to routinely download and test entire disk images every few days or I would handle this one myself. I would guess that simply making sure nothing happens to the partitionining or encryption portion of Ubuntu'd default "alternate disk image" should keep this working.
Yes, encryption does slow down disks, but with any processor sufficient to handle modern video editing there is plenty to handle encryption. I even got away with root filesystem encryption on an expendable Pentium II laptop I took on an especially hairy out-of-town mission! Also, the newest "sandy bridge"(Intel) and "bulldozer" (AMD) all have the AES-ni instruction set to speed up disk encryption. Haven't tried one of these chips, and I don't know if there are hardware issues with AES-NI that would compromise security either.
The only time I see encryption slowing my disks down on my Phenom II X4 video editing machines is when copying a filesystem from one partition of an SSD to another. Then I get about half processor usage as the fast disks push encryption hard. If a RAID is needed for uncompressed HD video or a big multitrack job, I can see this being a problem. If a big enough ramdisk isn't possible and an unencrypted volume has to be used, I would then have to wipe the whole thing afterwards, with zeros after each job, random numbers after any "heavy" job" and making sure the partition is just big enough for the largest projects, so as to force overwriting the space used by previous work and then zeroed out. That's how I treat camera cards, given the lack of encrypted cameras. I can also destroy them if I ever get trapped with a "loaded" camera.
As for encryption slowing down a portable laptop with less CPU, laptops are routinely stolen or "stolen" and need encryption the most. A good friend had three stolen in a suspicious "burglary" while guests were in town, good thing they were all encrypted!
One last issue-you may ask "why encrypt the binaries?" The answer is that that is the only thing that can write protect them when an attacker mounts the disk from his own live USB stick. It is a lot easier to verify the boot partition with a hash check (there are ways to do this, none of them simple but I use them)than an entire operating system, and there are a lot fewer places in /boot for a keylogger to hide than in the whole operating system.
> On Tue, November 29, 2011 8:00 am, qatracker at stgraber.org wrote:
> > A new build of Ubuntu Studio Alternate i386 is ready for testing!
> > Version: 20111129.1
> > Link: http://91.189.93.73/qatracker/milestones/205/builds/7263/testcases
> >
<snip>
> Also, is there any reason to test case two (encrypted disk)? It would seem
> to me that this would slow down disk access for things like streaming
> multi-tracks. Therefore, if I did test it, I would test it with a graphic
> workflow where it might make sense.
>
> --
> Len Ovens
> www.OvenWerks.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-studio-devel/attachments/20111130/3faaf712/attachment.html>
More information about the Ubuntu-Studio-devel
mailing list