Whole-Disk Encryption
CS
463/480 Lecture, Dr.
Lawlor
Q: Why bother with encryption? My
laptop is safe--I'm over 6 foot tall and know some Karate.
A: A huge number of
data breeches are caused by laptops left in cabs, bars, and hotel
rooms. Others are caused by careless handling of dead
hardware, or backup disks. Others are caused by
intrigue or an armed assault.
Q: But I password-protect Windows, and
even my BIOS!
A: One screwdriver is
all it takes to physically pull the drive, and then they can read
the filesystem on any machine you like.
Q: Why isn't it enough to encrypt just
the important files?
A: Sensitive data can
leak to temporary files, hidden, and deleted files. Swap
files, or filesystem slack space, is particularly bad. Some
editors, like Word, are bad about leaving parts of erased data
inside existing files.
Q: OK, I'm sold. I just AES'd my
disk. Why's it so slow?
A: Most good
encryption algorithms, especially CBC style, are sequential--this
means you could only decrypt the disk by starting at the beginning
and working your way through. For a normal disk, you want
random access, so you need to be able to pick up the encryption at
any disk block.
Q: OK, I now AES each disk block
separately. Wait, why are there all these repeating
patterns?
A: You need a
different initialization vector for each disk block. Using
the same IV basically devolves the cipher to electronic codebook
for disk blocks. Using a predictable IV, like the disk block
number, still allows a watermarking attack, where somebody carefully crafts a file
with modifications to cancel out your changing IV, revealing a
repeating pattern in the encrypted data. A better scheme is
to make the IV's depend on the key, like ESSIV (encrypted salt-sector initialization vector), although there
are many options.
The old linux interface losetup is
vulnerable to this sort of attack, even from my 5-minute C program. Here's the encrypted filesystem
when writing the watermark file to an losetup filesystem:
Here's the same file written to a newer
cryptsetup filesystem:
Note the repeating patterns (the
watermark) is gone. See the full command list below.
Q: I need to let my husband use my
computer, but I don't want to give him the same password.
A: It's probably more
secure to have separate computers, but the standard trick for
multi-user access to a single shared encrypted disk is to have one
"disk key" that is stored in several copies, each one encrypted
using a separate "user key". The standard disk format on
Linux for this is LUKS. You can set this up so any authenticated user can
read the disk, but nobody else can. You could also have an
unencrypted copy of the disk key in a vault or safe deposit box,
for backup.
Q: How do I set this stuff up?
A: There are several portable solutions,
like TrueCrypt or PGP (now a
free Symantec product).
In Linux, the old 2.6 way is using
cryptoloop:
modprobe cryptoloop
modprobe aes
dd if=/dev/zero of=test.1m bs=1024k count=1
losetup -e aes -k 256 /dev/loop5 test.1m
mkfs.ext2 /dev/loop5
mkdir tmp
mount /dev/loop5 tmp
... filesystem is mounted to tmp ...
umount tmp
losetup -d /dev/loop5
The new and watermark-resistant way is
using cryptsetup:
modprobe aes
modprobe cbc
modprobe dm_mod
modprobe dm_crypt
dd if=/dev/zero of=test.1m bs=1024k count=1
cryptsetup --cipher aes --key-size 256 create foodrive test.1m
mkfs.ext2 /dev/mapper/foodrive
mount /dev/mapper/foodrive tmp
... filesystem is mounted to tmp ...
umount tmp
cryptsetup remove foodrive
Q: Help, I forgot my disk key!
A: It sucks to be
you. If you don't have an emergency recovery information
(ERI) file, your data is now gone. Hopefully you've got
backups elsewhere!