Whole-Disk Encryption

CS 463/480 Lecture, Dr. Lawlor

Q: Why bother with encryption?  My laptop is safe--I'm over 6 foot tall and know some Karate.
    A: A huge number of data breeches are caused by laptops left in cabs, bars, and hotel rooms.  Others are caused by careless handling of dead hardware, or backup disks.  Others are caused by intrigue or an armed assault.

Q: But I password-protect Windows, and even my BIOS!
    A: One screwdriver is all it takes to physically pull the drive, and then they can read the filesystem on any machine you like.

Q: Why isn't it enough to encrypt just the important files?
    A: Sensitive data can leak to temporary files, hidden, and deleted files.  Swap files, or filesystem slack space, is particularly bad.  Some editors, like Word, are bad about leaving parts of erased data inside existing files.

Q: OK, I'm sold.  I just AES'd my disk.  Why's it so slow?
    A: Most good encryption algorithms, especially CBC style, are sequential--this means you could only decrypt the disk by starting at the beginning and working your way through.  For a normal disk, you want random access, so you need to be able to pick up the encryption at any disk block.  

Q: OK, I now AES each disk block separately.  Wait, why are there all these repeating patterns?
    A: You need a different initialization vector for each disk block.  Using the same IV basically devolves the cipher to electronic codebook for disk blocks.  Using a predictable IV, like the disk block number, still allows a watermarking attack, where somebody carefully crafts a file with modifications to cancel out your changing IV, revealing a repeating pattern in the encrypted data.  A better scheme is to make the IV's depend on the key, like ESSIV (encrypted salt-sector initialization vector), although there are many options.

The old linux interface losetup is vulnerable to this sort of attack, even from my 5-minute C program.  Here's the encrypted filesystem when writing the watermark file to an losetup filesystem:
repeating patterns, disk watermark attack

Here's the same file written to a newer cryptsetup filesystem:
Random noise, resistant to watermark attack

Note the repeating patterns (the watermark) is gone.  See the full command list below.

Q: I need to let my husband use my computer, but I don't want to give him the same password.
    A: It's probably more secure to have separate computers, but the standard trick for multi-user access to a single shared encrypted disk is to have one "disk key" that is stored in several copies, each one encrypted using a separate "user key".  The standard disk format on Linux for this is LUKS.  You can set this up so any authenticated user can read the disk, but nobody else can.  You could also have an unencrypted copy of the disk key in a vault or safe deposit box, for backup.

Q: How do I set this stuff up?

A: There are several portable solutions, like TrueCrypt or PGP (now a free Symantec product).

In Linux, the old 2.6 way is using cryptoloop:
modprobe cryptoloop
modprobe aes

dd if=/dev/zero of=test.1m bs=1024k count=1
losetup -e aes -k 256 /dev/loop5 test.1m
mkfs.ext2 /dev/loop5
mkdir tmp
mount /dev/loop5 tmp
... filesystem is mounted to tmp ...
umount tmp
losetup -d /dev/loop5
The new and watermark-resistant way is using cryptsetup:
modprobe aes
modprobe cbc
modprobe dm_mod
modprobe dm_crypt

dd if=/dev/zero of=test.1m bs=1024k count=1
cryptsetup --cipher aes --key-size 256 create foodrive test.1m
mkfs.ext2 /dev/mapper/foodrive
mount /dev/mapper/foodrive tmp
... filesystem is mounted to tmp ...
umount tmp
cryptsetup remove foodrive

Q: Help, I forgot my disk key!
    A: It sucks to be you.  If you don't have an emergency recovery information (ERI) file, your data is now gone.  Hopefully you've got backups elsewhere!