How useful is hard drive encryption?
Solution 1:
Once you're booted up the encryption key stays in memory. If they really wanted they could directly attach to the motherboard and extract the encryption key from memory. If you've encrypted your hard drive I would certainly hope you set your laptop up to require a password to log back in. If you have (and it's secure) then they can't run a program to steal the key. At that point they have two options, try to physically force the key out (through the motherboard) or reboot and hope it wasn't encrypted.
If you have hard drive encryption enabled and you DON'T have a password for your account (or it doesn't ask when waking up) or your password is weak and easily guessable, hard drive encryption won't help you much.
Solution 2:
Full disk encryption is of no use if the PC is stolen when the key is in memory.
My favourite demonstration video of this is on security tube (a great resource); http://www.securitytube.net/Cold-Boot-Encryption-Attack-video.aspx
Cold boot attack demonstrations and a creative attack involving cooling ram, removing it from the laptop, plugging it in to another laptop, and reading the data on it. Have no illusions about "power off, ram loses data instantly". It's a fallacy; data decays gradually.
Solution 3:
Hibernate mode can be made to be very secure, given that your resume device (ie swap device) is encrypted. You will be asked for the pre-boot passphrase after resuming from hibernation. I've tried it, and it works. Not susceptible to cold boot attacks either (well, not after the first minute or so).
Sleep mode is less secure; it does not dump its memory to swap when it goes to sleep. It can be made secure up to a point, in that you can require a password to unlock after resuming. However sleep mode is susceptible to cold boot attacks. Someone with physical access to the machine can find the key and get to your data.
So as a rule of thumb, providing your resume device (usually your swap device) is encrypted and requires a pre-boot passphrase, and that passphrase is secure:
- Hibernating is quite secure
- Sleeping (suspend to RAM) is less secure
Note that home directory encryption, like that offered by eCryptfs (as used by Ubuntu) does not encrypt your swap device. Not all so-called 'disk encryption' does either.
Note: on Windows the terminology is different. Your resume device is a 'hibernation file' on Windows, and your swap device is a 'page file'. But the above still applies: if these are both encrypted then hibernation should be safe.
Solution 4:
Protect you account with a password then you would have to type the password when waking up the laptop from sleep mode. However, that does not protect you against a Cold boot attack.
But It's more important to secure Your network daemons, because exploiting them attacker can gain access easier then with Cold boot attack.