hard disk encryptions
DESCRIPTION
Hard Disk Encryptions by Imran @ null Hyderabad Meet, March, 2011TRANSCRIPT
Full Hard Disk Encryption
Agenda
What Why Where When Who can do it How
What is encryption
In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is
encrypted information (in
What is FDE
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. The term "full disk encryption" (or whole disk encryption) is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions Disk encryption prevents unauthorized access to data storage.--source: wikipedia
Why Disk/file Encryption ?
Because (there are infinite reasons to do it): Its last line of defense in case
everything else fails information is more important than
anything else nowadays of security,privacy, confidentiality and
integrity
Where can we use FDE/encryption ?
Everywhere !!!
When ?
* Its never too late.* When you feel its time !* when you start taking security seriously !!!
Who can do it ?
How ?
Open source to the rescue ! Easy to use (those pointy clicky
things, dont know what ? ), GUI's No major performance hits
Here comes interesting stuff
Various types of encryption for different levels.
–
–
Disk controller level–
–
Volume level–
–
Disk block level–
–
Filesystem level–
–
Directory level–
–
File level–
–
Row and column level (for
databases)
Encryption tools (continued)
The biggest weakness with encryption tools is not the algorithm, but how encryption keys are managed.
–
–
Some tools allow only one passphrase, forcing groups of staff to share it, which can result in it being divulged.
–
–
Some tools store the passphrase in a weak manner, allowing for easy brute force cracking using rainbow tables or dictionaries.
–
–
Some tools may be poorly designed
and leave sensitive information out of the
Disk controller encryption
Pros
As the encryption is done in hardware, little to no performance loss is encountered.
A secure erase and repurposing of the drive can be done in milliseconds by wiping and generating a new master encryption key.
Cons
Only select few drives have AES encryption on the drive controller level.
Key management is an issue with some drives, as they only may have one password that would have to be shared
among staff.
Disk/Volume encryption (BitLocker, PGP Whole Disk
Encryption)Pros
Generally excellent key management depending on utility.
Recovery of data by IT staff is doable. BitLocker can store recovery keys in Active Directory, PGP can issue disk recovery tokens.
Encrypts everything on the disk, OS, data, and
all. This protects against
Cons Most are commercially licensed. Malicious software that manages
to get superuser access can pull the master decryption keys from memory and set them aside for later use by an attacker.
May have performance issues if used on volumes with high read/write throughput.
May render data unrecoverable if used with RAID, depending on program.
Only protects if the machine is powered off or volumes are
unmounted.
Filesystem encryption (EncFS, FileVault)
Pros
Able to resize filesystems without having to copy data or decrypt files.
Backup programs can store the encrypted data.
Users can have their own encrypted directories, protected
against a root/admin
Cons
Sensitive data, if stored outside the protected filesystems can be left unprotected.
None have any enterprise level recovery abilities. EncFS only has one passphrase, FileVault can offer a recovery passphrase, but that isn’t scalable.
Directory/file level (EFS)
Pros
Excellent recoverability.
Multiple users can have access to groups of encrypted files.
Cons
Confidential information can leak, if stored outside the EFS protected directory.
Unless a backup program uses special semantics to back EFS protected files up, the backup will fail.
Row/Column level for databases
Pros
Encryption is independent of the system.
Resistant to compromise even if superuser privileges are obtained by unauthorized entities.
Most new DBMS programs support this.
Cons
Key management is an issue. Where does the app keep its authorization credentials?
Recovery of encrypted data is iffish, depends on the database program.
Sometimes hard to
sync up encrypted
Hardware assisted encryption (cryptographic tokens)
Pros
Protects against brute force password guessing by either disabling access after a number of password guesses, or adding a significant delay between entries.
Allows a machine to boot unattended while providing hard disk protection (Bitlocker).
Cons Hardware is sometimes hard
to find. For example, its hard to find machines with an onboard TPM/security chip.
Different drivers required for different cards. There is no real standard for cryptographic token I/O, other than APDU.
Hardware can fail, locking legitimate users out.
Demo !!!
1. True Crypt2. Encfs3. Luks/cryptsetup
Thanks