Educause Security Discussion mailing list archives
Full volume encryption
From: Phil Benchoff <benchoff () VT EDU>
Date: Tue, 9 Oct 2007 08:53:19 -0400
Here are some resources I have found useful in the area of volume encryption technical information. The first is from http://clemens.endorphin.org/cryptography. "New Methods in Hard Disk Encryption" covers the technical background. Chapters 1-4 cover the cryptographic background. They are probably a little more in depth than desirable for most people, but it does point out some potential problems with the CBC (plain) mode of AES and outline some more appropriate modes. The bottom line is that you need to know the mode of the cipher used and how key tweaks are used. The rest of the chapters are a bit more readable and cover important concepts like: * Key Hierarchies for Passwords * Anti-forensic Data Storage * Passwords from Entropy Weak Sources * TKS1: Template Key Setup 1 * A Tour of LUKS: Linux Unified Key Setup The second resource is the documentation for TrueCrypt at http://www.truecrypt.org/. Overall, the commercial products do not supply sufficient technical information to make any kind of real evaluation of the cryptographic methods or for you to know how to read their encrypted volumes on unsupported platforms. With most of the more open products you can mount file systems on unsupported platforms if you're willing to deal with setting up the cryptographic parameters yourself. Search for FreeOTFE, TrueCrypt, dm-crypt, and LUKS for some examples. What you do get with the commercial products is infrastructure to handle installation, updates, policy, and support. Most of the major vendors seem not completely incompetent and offer reasonable products if you are willing to accept some hand waving over the technical details. Many of the commercial products also offer "encrypt in place" features that can recover from power failures during the initial encryption. One thing to keep in mind when evaluating the value of the support infrastructure is that you first need to manage the risk of lost or failed drives. A solution that manages those risks goes a long way to managing the specific risks of encrypted drives, e.g. lost keys, remote support, and malicious employees who won't disclose the keys. Phil
Current thread:
- Full volume encryption Phil Benchoff (Oct 09)
- <Possible follow-ups>
- Re: Full volume encryption Roger Safian (Oct 09)
- Re: Full volume encryption Mike Wiseman (Oct 09)