0

I recently read this nice Howto tutorial about doing backups with whole disk encryption using LUKS. Surprisingly for me this tutorial contains as the first part of step #3 a command to overwrite the new disk partition with encrypted binary zeros:

dd if=/dev/zero of=/dev/mapper/your_encrypted_disk_partition

Obviously this command will be very time consuming considering the huge disks available today. So the temptation to skip this command. If the disk is going to be filled and will be overwritten mostly anyway, because a full system backup is going to follow immediately as the next step after creating and mounting the encrypted disk device then the need to do this is difficult to understand.

What are the security risks of leaving this command out?

Does disclosure of usage pattern simply means that someone getting hold of the disk might be able to figure out how much space of the disk is occupied by my encrypted data?

Or might some resourceful secret agency be able to discover more private information?

pefu
  • 679
  • 1
  • 6
  • 24

1 Answers1

2

If you don't zero out the disk with encrypted zeroes, an adversary could theoretically analyze your disk to determine where and how much encrypted data was written. Information can be gathered from that metadata, such as the kind of application writing information to the underlying filesystem and what kind of information could be present on the partition. Writing all zeroes also may give you plausible deniability, if necessary. Depending on why you're encrypting the partition, you may not care about any of the above.

A resourceful TLA could probably break your encryption if they really wanted to anyway, even if they have to resort to rubber-hose cryptanalysis.

That said, the extra time consumption still shouldn't break you, and if it does then there may be bigger problems. If the disks are slow enough that writing encrypted zeroes to them is a burden, then they're probably underperforming for whatever else you want to do with them.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • I'am using simple SATA data disks connected using an ESATA cable to my laptop to do whole system backups of my laptop every few months. I don't have so much valuable private information a side from my SSH and PGP private keys which have pass phrases anyway. But I think encrypting complete system backups is a good idea. Writing about 1 TB of data to such a disk takes several hours though. – pefu May 07 '15 at 15:43