Educause Security Discussion mailing list archives

Full volume encryption

From: Phil Benchoff <benchoff () VT EDU>
Date: Tue, 9 Oct 2007 08:53:19 -0400

Here are some resources I have found useful in the area of volume encryption
technical information.

The first is from http://clemens.endorphin.org/cryptography.

"New Methods in Hard Disk Encryption" covers the technical background.

Chapters 1-4 cover the cryptographic background.  They are probably a
little more in depth than desirable for most people, but it does point
out some potential problems with the CBC (plain) mode of AES and outline some
more appropriate modes.  The bottom line is that you need to know the
mode of the cipher used and how key tweaks are used.

The rest of the chapters are a bit more readable and cover important concepts
like:
* Key Hierarchies for Passwords
* Anti-forensic Data Storage
* Passwords from Entropy Weak Sources
* TKS1: Template Key Setup 1
* A Tour of LUKS: Linux Unified Key Setup

The second resource is the documentation for TrueCrypt at
http://www.truecrypt.org/.

Overall, the commercial products do not supply sufficient technical
information to make any kind of real evaluation of the cryptographic
methods or for you to know how to read their encrypted volumes on
unsupported platforms.  With most of the more open products you can
mount file systems on unsupported platforms if you're willing to deal
with setting up the cryptographic parameters yourself.  Search for
FreeOTFE, TrueCrypt, dm-crypt, and LUKS for some examples.

What you do get with the commercial products is infrastructure to handle
installation, updates, policy, and support.  Most of the major vendors seem
not completely incompetent and offer reasonable products if you are willing
to accept some hand waving over the technical details.  Many of the commercial
products also offer "encrypt in place" features that can recover from power
failures during the initial encryption.

One thing to keep in mind when evaluating the value of the support
infrastructure is that you first need to manage the risk of lost or
failed drives.  A solution that manages those risks goes a long way to
managing the specific risks of encrypted drives, e.g. lost keys, remote
support, and malicious employees who won't disclose the keys.

Phil

Current thread:

Full volume encryption Phil Benchoff (Oct 09)
- <Possible follow-ups>
- Re: Full volume encryption Roger Safian (Oct 09)
- Re: Full volume encryption Mike Wiseman (Oct 09)