You don't understand. You're thinking about this like a systems programmer. The problem is not that anyone cares about your OS binaries. The problem is that it is theoretically possible that customer data could have wound up in /sbin (maybe a script broke and did something stupid as root). Obviously customer data could routinely end up in /. Unless you can promise that there is no customer data in any unencrypted volume --- not assure that it is extremely unlikely, but promise --- then the assumption is going to be that the data was compromised, and stakeholder disclosure has to happen.
WDE solves that problem. If your disk is block-level encrypted and you carry your laptop around powered off, you can make an attestation-level promise that a stolen laptop didn't compromise customer data.
Along with an audit regime that makes sure it's configured properly, WDE allows you to promise that not one block of data on a device is readable without a key.
> You're thinking about this like a systems programmer.
Indeed, yes, I am. My experience in shipping systems used by tens of millions leads to that line of thinking.
> The problem is not that anyone cares about your OS binaries. The problem is that it is theoretically possible that customer data could have wound up in /sbin (maybe a script broke and did something stupid as root). Obviously customer data could routinely end up in /. Unless you can promise that there is no customer data in any unencrypted volume --- not assure that it is extremely unlikely, but promise --- then the assumption is going to be that the data was compromised, and stakeholder disclosure has to happen.
I agree 100%. No one cares about OS or app binaries, as long as those binaries can be cryptographically guaranteed to be unmodified. Given that, no one cares about them.
So, set that aside. Once that's a given, why can't you entirely isolate all user data into individual per-user containers? I can think of numerous ways that can be implemented. Chrome OS has done one such implementation themselves. Hell, union mount an encrypted per-user volume over the unencrypted OS volume. If you don't like that, find some other way. The bottom line: it's software. Implement some way to promise user data is always isolated and encrypted. It can be done and if you think it can't, you're thinking too small.
WDE guarantees one thing – whole disk encryption. That buys you nothing when one single malicious user gains access to that volume. And keep in mind: that malicious user could have been benign and even friendly to begin with.
WDE has nothing to do with malicious users and malware. You really do want a lot of things. There are a myriad of threats. For the threat of "car window cinderblocked and laptop bag stolen out of back seat", what you want is WDE.
WDE is simpler. Even if you wrote the perfect operating system or bootloader that never made a mistake, you'd still fail at the goal. User A could install a keylogger or some other kind of hardware manipulation and use that to steal user B's passphrase or spy on B.
> You really do want per-user data encryption.
What kind of situation where users don't have physical access to the machine is user-segregated on-disk data encryption necessary?
WDE solves that problem. If your disk is block-level encrypted and you carry your laptop around powered off, you can make an attestation-level promise that a stolen laptop didn't compromise customer data.
Along with an audit regime that makes sure it's configured properly, WDE allows you to promise that not one block of data on a device is readable without a key.