Three Paper Thursday: full disk encryption

Information is often an important asset and today’s information is commonly stored as digital data (bytes). We store this data in our computers local hard disks and in our laptops disks. Many organisations wish to keep the data stored in their computers and laptops confidential. Therefore a natural desire is that a stolen disk or laptop should not be readable by an external person (an attacker in general terms). For this reason we use encryption.

A hard disk is commonly logically organised in multiple sections, often referred to as either partitions or volumes. These volumes can be used for various purposes, and they are often structured according to a file system format (e.g. NTFS, FAT, HFS, etc.). It is possible to have a single disk with 3 volumes, where the first volume is formatted with NTFS and contains a Windows operating system, the second volume is formatted with EXT3 file system and contains an installation of a Linux distribution, while the third volume is formatted with FAT file system and only contains data (no operating system).

Volume encryption is a mechanism used to encrypt the contents of an entire volume. This is sometimes referred as “full disk encryption”, which is misleading, since a physical disk can actually contain multiple volumes, each encrypted independently.  However, since the term has become very popular, I will continue to refer to this kind of encryption as “full disk encryption” but the reader should keep the above distinction in mind.

There are several products that offer full disk encryption, e.g. PGP Whole Disk Encryption, TrueCrypt, Sophos SafeGuard, or Check Point FDE. Bitlocker is the full disk encryption integrated with the Windows OS and Apple has recently introduced FileVault 2 as full disk encryption from MAC OS X 10.7.

There are several limitations that affect the encryption of an entire disk. These have to do with 3 important aspects among others: a) encryption must be fast (a user should not notice any extra latency); b) the operating system is encrypted as well (so there must be some way of bootstrapping the decryption process when the computer boots)  c) the encryption mechanism should not reduce the available storage space noticeable (that is, we cannot use an extra block of data for every few encrypted blocks).

The following 3 papers explain in detail these limitations. Two of them relate to currently deployed full disk encryption systems.

Lest we remember: cold boot attacks on encryption keys. J. Halderman et al. Usenix Security Symposium 2008.

This paper explores the possibility of extracting encryption keys from memory (DRAM in particular). Full disk encryption uses a volume  key to encrypt and decrypt disk blocks. In order to allow a fast process the keys are stored in memory. Even more, the keys are expanded (e.g. for AES) and the round keys are also stored in memory (key expansion would introduce a considerable latency if this would need to be done for every block). Therefore a simple dump of the memory will contain the sensitive keys. The authors of this paper consider also the scenario in which a DRAM chip is extracted from the computer and measure the time after which the keys are still retrievable. Using the redundancy given by the expansion keys this time can be increased.

New methods in hard disk encryption. C Fruhwirth, Institute for Computer Languages, Theory and Logic, 2005.

This paper goes into the details of the encryption schemes that can be used for disk encryption and discusses many of the problems that are particular to this type of encryption. It details for example the many problems in using a common scheme such as CBC and also explains some techniques that can be used. The author has implemented some of the algorithms presented in LUKS (Linux Unified Key Setup).

AES-CBC + Elephant difusser: A disk encryption algorithm for Windows Vista. N Ferguson. Microsoft Corp. 2006.

This paper describes the encryption algorithm used in Bitlocker, the full disk encryption system available in Windows (since Vista). The paper comments on the limitations of existing encryption schemes and performance issues and details the solution adopted by Microsoft.

As an additional remark I point out that around 2007 a new mode of operation for AES, called AES-XTS, has been standardized: This is a “tweakable” mode of encryption (based on Rogaway’s XEX –, which allows each block in a disk to be encrypted independently. This has major advantages over other encryption modes such as CBC and has already been adopted by Apple in their full disk encryption system: FileVault 2.

1 thought on “Three Paper Thursday: full disk encryption

  1. Something that writes junk data to the DRAM on shutdown or on removal of power would mitigate at least some of the risk on the first paper.

    good papers though.

Leave a Reply

Your email address will not be published. Required fields are marked *