Techniques and Solutions for Storage Encryption

8/14/2019 Techniques and Solutions for Storage Encryption

1/22

Techniques and Solutions for Storage Encryption

Vittorio Giovara

February 20, 2008


2/22

Contents

1 Introduction 31.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Basics of File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2.1 Files and Filesystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.2 Disk partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.3 Master Boot Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.4 Loop Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Modern Techniques 52.1 Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Virtual Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4 File/Folder Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.5 Other Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Solution Analisys 8

3.1 Possible Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.1.1 Advantages/Disadvantages Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2 Cryptoghaphic Concerns and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.3 Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.4 Selection Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 Current Implementations and Benchmarks 114.1 TrueCrypt 5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4.1.1 TrueCrypt for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.1.2 TrueCrypt for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.1.3 TrueCrypt for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4.2 BestCrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2.1 BestCrypt for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.2.2 BestCrypt for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.3 Operating System Integrated Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.3.1 Linux - dm-crypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.3.2 Windows - EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.3.3 Mac OS X - FileVault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.4 Final Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.4.1 Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.4.2 Virtual Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.4.3 Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Bibliography 20

A Test script 21

1


3/22

List of Tables

4.1 Volume Encryption perfomance test #1 (one le from single bytes). . . . . . . . . . . . . . . 144.2 Volume Encryption perfomance test #2 (one le from blocks of 1024 bytes). . . . . . . . . . . 144.3 Volume Encryption perfomance test #3 (one le from blocks of 4096 bytes). . . . . . . . . . . 144.4 Volume Encryption perfomance test #4 (multiple les from single bytes). . . . . . . . . . . . 154.5 Volume Encryption perfomance test #5 (multiple les from blocks of 1024 bytes). . . . . . . . 154.6 Volume Encryption perfomance test #6 (multiple les from blocks of 4096 bytes). . . . . . . . 154.7 Virtual Disk Encryption perfomance test #1 (one le from single bytes). . . . . . . . . . . . . 164.8 Virtual Disk Encryption perfomance test #2 (one le from blocks of 1024 bytes). . . . . . . . 164.9 Virtual Disk Encryption perfomance test #3 (one le from blocks of 4096 bytes). . . . . . . . 164.10 Virtual Disk Encryption perfomance test #4 (multiple les from single bytes). . . . . . . . . . 164.11 Virtual Disk Encryption perfomance test #5 (multiple les from blocks of 1024 bytes). . . . . 174.12 Virtual Disk Encryption perfomance test #6 (multiple les from blocks of 4096 bytes). . . . . 174.13 Full Disk Encryption boot time test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.14 Full Disk Encryption perfomance test #1 (one le from single bytes). . . . . . . . . . . . . . . 174.15 Full Disk Encryption perfomance test #2 (one le from blocks of 1024 bytes). . . . . . . . . . 184.16 Full Disk Encryption perfomance test #3 (one le from blocks of 4096 bytes). . . . . . . . . . 184.17 Full Disk Encryption perfomance test #4 (multiple les from single bytes). . . . . . . . . . . . 184.18 Full Disk Encryption perfomance test #5 (multiple les from blocks of 1024 bytes). . . . . . . 184.19 Full Disk Encryption perfomance test #6 (multiple les from blocks of 4096 bytes). . . . . . . 19

2


4/22

Chapter 1

Introduction

T HIS DOCUMENT WILL focus on the current theories and actual implementations of the storage encryptiontechnology. A brief introduction to the problem of securing data on hardware devices will be provided,along with some basics about le storage techniques, in order to fully understand the main issues. Afterwards

this document will present the main solutions analizing the advantages and disadvantages of each one, takingin consideration encryption and authentication concerns. Finally some related open source programs.currentlyavailable will be showed, testing the performance impact of each adopted solution.

1.1 Overview

Due to the pervasive presence of computer systems in every aspect of modern life, there has been mayor concernregarding the protection and condenciality of data and information stored in hardware devices, such as harddisks, USB drives, portable CD/DVD and memory cards. Malicious actions can be performed in order to obtainaccess to sensitive data and commit identity theft, industrial secrets disclosure, fraud and privacy violation ingeneral.

To avoid unauthorized access to private information it has been suggested to adopt symmetric encryption(quickier than asymmetric encryption for large quantities of data) on such devices, making impossibile todispose of such data without proper authentication and proper access rights. This way data is protected fromunauthorized read even in case of loss of device.

Encryption is very effective, as it can be applied to single les (granularly) or to the whole volume, butits introduction can cause some disadvantages, like backup problems, recovery of lost keys, operating systemintegration, performance impact and centralized management drawbacks.

1.2 Basics of File Storage

In order to understand how the technologies for storage encryption work, it is important to have some basicknowledge about how les are stored on disk and how the operating system interacts with the lesystem. Hereis presented a brief description of some of the recurring aspects in the solutions later discussed..

1.2.1 Files and Filesystem

The computer stores data into an abstract data type, called le , that allows to organize and access informationaccording to the operating system implementation. Files are usually stored on non volatile devices for pre-serving their state even withouth power supply; such devices can be magnetic disks (very common) or ashmemory (like memory cards and USB pendrives).

The operating system can access les only if the disk is formatted with a lesystem ; this means that the

device is organized under known patterns as reported by the lesystem. It the lesystem that manages andstores le accordingly onto the device, respecting the address data of clusters and blocks of the disk, and thatworks as a driver for the operating system when dealing with le attributes, le types, access permission andavailable operations.

3


5/22

1.3 Solutions 4

1.2.2 Disk partition

A disk can be formatted only if it has been properly partioned, that is, it has been logically divided in one ormultiple indipendent drives. A partition is the logical container of the lesystem; if no lesystem is present thepartition is rawand cant be accessed by the operating system (with some exception, like the swap-space inUNIX systems).

In IBM PC-compatible disks, the list of the partition is stored in the Partition Table , a 16 bytes eld in the Master Boot Record ; these kind of disks can hold only four primary partitions, but its also possibile to createone extended partition capable of holding up to 128 different partitions. The type of partition is dened in therst byte of the partition table entry (which can also contain inforrmation about the lesystem installed).

1.2.3 Master Boot Record

The Master Boot Record is the rst sector (512 bytes) of a partitioned data storage device, often called Sec-tor 0, and contains important information of the structure of the partitioned disk. In IBM-PC convention, theMaster Boot Record holds the primary partition table, four 16 bytes entries, and the bootstrapping code, thecode to be executed when the BIOS identies the rst active primaray disk, usually a bootloader, such as LILO

or GRUB, or some operating system bootstrap instructions..

1.2.4 Loop Device

Loop devices are pseudo-devices that make les accessible as if they were actual physical disks. They can bemounted and formatted like any other storage device, with the difference that the les reside above anotherlesystem; normally perfomance of loop devices is slower than standard hardware devices.

1.3 Solutions

As reported by [1], the most commonly found solutions for storage encryption are:

Full Disk Encryption

Virtual Disk/Volume Encryption

File/Folder Encryption

Ii is possible to implement nested solution or use other available systems. The following chapter ( 2) willdescribe the operational behaviour of each system alogn with other possibile solutions, while for a more detailedanalisys, please consult 3.

Sometimes Virtual Disk/Volume Encryption is referred as on-the-y encryption because les are immedi-ately accessibile after authentication and the virtual disk is mounted with physical drive emulation.


6/22

Chapter 2

Modern Techniques

T HIS CHAPTER WILL present the available technologies created for implementing storage enctryption invarious environment, showing the main purposes and limitations of each method.2.1 Full Disk Encryption

Full Disk Encryprion is a software based technique that ciphers the whole content of the disk, all les (in-cluding the system ones) present on the device, with a symmetric encryption algorithm (usually the AdvancedEncryprion Standard).

This method works by redirecting the Master Boot Record code to a Pre Boot Environment instead of the primary operating system; in the Pre Boot Environment the system loads basic drivers for Input/Outputand asks the user for authentication ( Pre Boot Authentication ). After this passage, the computer loads and itdecrypts all the les needed during bootstrap; when the operating system is loaded, the user is no more askedfor authentication and every le is transparently encrypted or decrypted when it is written or read on disk respectively.

Figure 2.1: Boot sequence for Full Disk Encryption (orginal image at [1])

Full disk encryption is very effective when the device is lost or when the computer is off, as there is noway for data to be disclosed without proper user authentication, but it is very weak in respect to other storageencryption solutions because when the computer is on and the operating system is loaded it doesnt offer anykind of security or condenciality at all.

On the other hand, this method is very well supported by operating systems, since the encryption is traspar-ent to them, even if modifying the Master Boot Record can generate trouble in dual or multi boot systems (acomputer with two operating systems or more). The Master Boot Record is usually checked for integrity atthe Pre Boot Environment, so it is not possibile to modify it without proper tools. There are some hardwareimplementations that, thanks to additional unremovable disk controllers for key and password storage, preservethe Master Boot Record; however they have received poor interest from the market as they cannot be managedcentrally and require physical presence for any operation..

The delay and overhead brought by the encryption/decryprion process is tangible only at boot time andwhen dealing with very large les.

5


7/22

2.2 Virtual Disk Encryption 6

2.2 Virtual Disk Encryption

Virtual Disk Encryption is used for encryption of single or multiple les. The les which need protection arestore in a special container , as if it were a folder, and it is afterwards encrypted. A separate software is neededto obtain access to the les saved in the container and all read and write are managed to that software only after

authentication. Sometimes it is also possibile to install such software as a kernel module in order to reduce thedelay time.If the operating system support single sign-on, it is possibile to congure this solution to automatically

authenticate the user through the operating system authentication; in this way it woud be enough for the userusing a single password for accesing the operating system and the encrypted le. Even if this can prove to bemore functional, it severly lowers the security of the system, so it should be used with caution,

The Virtual Disk Encryption method is very portable as it doent involve lesystem metadata (path, times-tamps, etc.) nor the operating system support (everything is performed throught the bundled software). Oftenwhen the container is copied or moved from the disk to a portable device, also the necessary executable isinserted, making the container accessible from other computes.

Thanks to this ease of portability this method is also preferred for making quick backups of the encrypted

le.

2.3 Volume Encryption

Volume Encryption adopts the container technology used in Virtual Disk Encryption for protecting a whole disk partition, like in Full Disk Encryption. So it inherits all the properties of both methods, easy and quick backups,external software for accessing the container, transparent for the user as it protects all les in the volume andportability.

Moreover it is possibile to mount this volume container, just like any other disk device, and use it directlywithout the software (which is alwasy needed for authentication). On the other hand this solution offers lowerencryption capabilities than Full Disk Encryption, since it cannot cipher the primary disk where the operating

system is installed and so it cannot even protect the memory or the swap le.

2.4 File/Folder Encryption

File/Folder Encryption is very similar to the Virtual Disk Encryption solution, basically its its transparentimplementation: the software is directly integrated in the operating system and the container is just a lesystemfolder.

This method is very performant, as it is possible to encrypt/decrypt single les, instead of the whole con-tainer, and since it is directly supported by the lesystem the directory structure and datapath are preserved,without having to move the les in the container. Moreover its integration with the operating system allowssome automatic encryption of les written by selected applications, les with a certain extension and les fromparticular users. Also in this solution it is possible to adopt single sign-on for rapid access to les.

One of the main drawbacks of this solution is that external information of les, such as lename, size, typeand path, are not (and cant) be protected, reducing the the level of condenciality offered.

2.5 Other Solutions

Full Disk Encryption, Virtual Disk/Volume Encrytpion and File/Folder Encryption are not the only availablesolutions, but are certainly the most adopted. Other methods are less supported by the existing environmentand/or require additional actions from the user.

One solution involves modication of the application level in order to cipher only the important pieces of

information; for example in a database application it is possible to encrypt only the sensitive elds of certaintables, like customers private data. Obviously this metodology can be applied in limited occurences and so israrely applied.

Another solution is to let access of important data only through a virtual machine disconnected form thenetwork which is encrypted when not in use. This solution is very similar to the Virtual Disk Encryption but


8/22

2.5 Other Solutions 7

offers additional security as it is possible to nest different protection measures and tell apart the important datafrom the user data; since virtual machine are single les it is very easy to make backups.

One nal solution consists in forbidding the storage of sensitive information on any device. This is per-formed in several ways:

No copies on mobile devices, like PDAs, memory cards or USB drives;

No copies on CD or DVD if data has not been encrypted;

Adopting a terminal/client environment, so data can be secured directly on the mainframe and accessedonly after user authentication;

Accessing sensitive data only through secure applications, for example using a web portal to gather andmanipulate data over a secure SSL channel (in which itd be convenient to authenticate both the serverand the client).


9/22

Chapter 3

Solution Analisys

H AVING PRESENTED THE MAIN choices of Storage Encryption techniques, in this chapter will be presenteda detailed analisys of general problems in adopting a solution and the theoretical and practical aspects of the encryption process and authentication metodology.

3.1 Possible Problems

After having set up a Storage Encryption environment, many implementation aspects are often not taken careof. For example there is no solution that protects the empty space disk. When deleting a le often its contentis not totally deleted, but its pointer is just deferenced; so using forensic analisys over the empty space it ispossibile to restore part or the whole of the le.

Another weak point of the current solutions is that after authentication data is decrypted right away andstored in primary memory with no protection and unauthorized software could fetch sensitive data directlyfrom it. Simirarly there are almost no systems that preseve encryption over copied or moved data. Moreovermany software based solutsions keep authentication information like keys and password on the device theyare protecting, making it easy prey of malware and malicious attacks. Finally all systems are susceptible tokeyloggers, hardware or software devices that keep track of what has been typed on the keyboard, in order toobtain passwords or directly important data itself.

On the other hand modern technologies are very compatibile with each other and so it is possible to useseveral protection systems for the same resource even with different keys each. Moreover the same resourcecan be shared by multiple users still in encrypted form and decrypted with several different keys; see 3.3 forfurther details.

3.1.1 Advantages/Disadvantages Summary

Here is a brief summary of the advantages and disadvantages of each of the main solutions. Please see 2 for amore detailed description.

Full Disk Encryption

+ All data on disk is protected and the user hasnt got to choose which les to protect;

+ Immediate data destruction, it is just needed to destroy the keys and data will be unreadable;

- Offers no protection whatsoever when the operating system is loaded;

- Limited protection to swap and hibernation les.

Virtual Disk/Volume Encryption

+ Only selected content protected;

+ Very portable and easy backup;

8


10/22

3.2 Cryptoghaphic Concerns and Management 9

+ Possibile single sign-on for automatic access to encrypted les;

- No protection to swap le and primary memory.

File/Folder Encryption

+ Integrates perfectly with the operating system and the lesytem;

+ Possibile single sign-on for automatic access to encrypted les;

- Needs lesystem support for preserving encryption;

- Less condenciality offered.

3.2 Cryptoghaphic Concerns and Management

Storage Encryption offers some intersting challenges from the point of view of cryptographic analisys. As a

matter of fact a great number of parameters is implementation dependant, like the number and the types of keys used in the cipher, the encryption algorithm and the storage of the hashes of the authentication details (asusername and password mustnt be kept in cleartext).

Generally, according to [1], the preferred algorithm for security and performance reasons is the AdvancedEncryption Standard (AES) with integrity checking through either HMAC-SHA or Cipher-Based MessageAuthentication Code (CMAC), or Counter with Cipher Block Chaining-Message Authentication Code (CCM),Please see [1] for additional details.

There are two very aspects that affect the classical encryption process. The rst one is that there areencrypted les that have to be shared across multiple users. Clearly it is impossible to reuse the same key,because it would be too greatly reduce the security level of the key (and the associated password). So it mustbe used a triky solution: each single key is used to decrypt another le which contains the single key used to

decrypt the actual encrypted data. This procedure is described in more details in 3.3.The other peculiar factor is that since a single loss of a key can make the whole encrypted data unreadable, just as if it would be completely destroyed, there must be some kind of recovery system. This is implementedin several ways like using a special recovery key in addition to the users keys. Very often however keys arekept secure in a centralized server that is used for management.

As a matter of fact all the described solutions are set up to be controlled and managed remotely froma centrilized computer which is in head for handling many management aspects. Moreover with a centrallymanaged system it is possible to perfom frequent and easy backup of the sensitive encrypted data and/or of thecomputer setting. Here is a list of the advantages of a centrally managed environment:

Updates and deploying One of the key factor for a secure storage environment is to keep software updatedand be able to deliver to the nal users quickly;

Conguration As said before, there are many parameters to be congured, not only the algorithms and key,but also some authentication settings (like les accesibile from differnt groups of users, admistrators andsingle user);

Logs Many programs help to keep track of le access or password modication and having a centralizedmanagent system is necessary for fetching and saving such information;

Recovery Recovery keys when the main key is lost or damaged are stored on the centralized system in orderto always keep a safe copy for quick action. Sometimes it is possible to store backups of encrypted datatoo;

Routine system management Just some control and checks over the running systems.


11/22

3.3 Authentication Issues 10

3.3 Authentication Issues

Authentication is another important aspect of a Storage Encryption environment. All the solutions presentedare based on a successful authentication for allowing access to encrypted les. This is achieved with any of thefollowing authenticators (in order of effectiveness against security):

single sign-on Access granted via the credentials provided by the operating system;

unique password or PIN A normal password-based authentication;

token-code Single use codes, obtained from additional hardware, providing one time passwords;

token-code with unique password or PIN The union of the two previous factors.

It is possible to use either one-factor authentication or two-factor authentication systems; with the formerthe authenticator usually grants access to the key used in actual decrypting while with the latter tipically onefactor gives access to another factor which is the one used in decrypting information; as [1] reports, a passwordcan be used to retrieve a key from a smart card and use that key to decrypt the storage encryption key. Clearly

two-factor authentication is much more secure and the acquisition of either factor doent cause the disclosureof the encrypted data.

Another interesting aspect of the authentication process is when dealing with encrypted les accessiblefrom different multiple users. This seems to break the conventional rules of encryption algorithms, but actuallythe implementation is very simple. The data is encrypted with just a single key which is put in a container or aclear le; in either ways, the key is repetidely encrypted with as many keys as users. So when a user uses hisown password or key to access the data, that password is used to decrypt the ciphered key used in for real accessto data. This can prove to be delicate when the key needs updated, but thanks to centrally managed system theprocess requires very little time for encrypting the main key several times and depoying the secondaray key tothe users.

3.4 Selection Aspects

The choice of the Storage Encryption technology should be based on several factor and should not be limitedto a single solution. The main aspect on which perform the selection are:

what needs protection

what are the authenticators supported

how does the operating system support the solution

how is the system managed

interoperability between different operating systems

which is the performance impact of the solution

how are recovery and backups performed


12/22

Chapter 4

Current Implementations and Benchmarks

I N THIS FINAL CHAPTER it will be shown a set of the modern opensource implementations for storage en-cryption systems; a compehensive list of all the storage encryption software is located at [6]. The analisyswill provide a description of the main features and some actual performance tests about the performance impact.

4.1 TrueCrypt 5.0

TrueCrypt is one of the most portable solution as it is available for Windows, Mac OS X and Linux systemsand its sources are freely available. It offers lots of cryprographic algorithms too, like AES (default), Blowsh,Serpent, 3DES, Twosh and combination of them; it secures the passwords with RIPEMD-160, SHA-1 orWhirlpool hashes. This tool also gives the possibility to create hidden volumes that are more difcult to identify.

Given its portability, every disk image created with TrueCrypt is readable by any version of the software onany operating system; on the othe hand, the disk image format is not standard and cant be mounted by normalsystem tools but requires the presence of the software to access the containers.

4.1.1 TrueCrypt for Linux

The version for Linux systems installs a command line program that implements only the Virtual Disk/VolumeEncryption solution. With the option truecrypt -c it is possible to map a virtual container or a partitionas an encrypted volume. Then the user is prompted for selecting the volume size, the cipher, the hash and thelesystem; as standard UNIX tools, it is possible to pass these parameters as command line arguments.

After the volume creation it is possible to mount like any other device to a folder, but not with the mountcommand: it is necessary to mount the container always with the truecrypt program, which will need the correctvolume password in order to access it. Now it is possible to use the encrypted volume (or le) like a stardardstorage device.

The only available lesystem for the container is FAT.

4.1.2 TrueCrypt for Windows

The version for Windows offers the Full Disk Encryption and Virtual Disk/Volume Encryption as well. Theprogram has a graphical user interface with the same options of the Linux counterpart: same algorithms, samehashes, possibility to mount the container as a normal volume and so on. The user just needs to follow agraphical wizard where each parameter is somewhat described.

For mounting volumes the user has to browse for the image le and a select drive letter; now it is possibleto access the container like a normal drive from My Computer folder. This volume can be formatted in FAT orNTFS lesystems.

4.1.3 TrueCrypt for Mac OS X

The version for Mac OS X has the same graphical user interface of the Windows version, but doesnt offer theFull Disk Encryption implementation. There are the usual encryption algorithms and hashes and it is possibleto mount volumes only with the program itself.

11


13/22

4.2 BestCrypt 12

Also in this version the only available lesystem is FAT.

4.2 BestCrypt

BestCrypt is one of the most used tools for storage encryption and one of the oldest program available (started in1993). The sources are open for review, but the program is not free: there is a 30-day tryout before purchasinga licence.

This software has more parameters of choice with respect to TrueCrypt as it has more encryption algorithms,(like IDEA, CAST and GOST), more hashes for password (like MD5) and supports as many lesystems as theoperating system can (FAT, EXT2/3 and ReiserFS on Linux, FAT and NTFS on Windows). Another interestingfeature is that images created by different version of this program are compatible with each other.

4.2.1 BestCrypt for Linux

The Linux version offers only Virtual Disk/Volume Encryption implementation. Actually it is more difcultto install than Truecrypt, beacuse it requires some proprietary modules to be loaded into the kernel, and once

installed there is no tutorial or wizard for creating volume les, but needs direct command line arguments fromthe user.

The program bctool requires an action to perform. The most used are:

new to create a virtual disk or a block volume, with the -a option for selecting the cipher;

format to format the container with the FAT lesystem (you can select others with the -t option);

mount to mount the container like any other device.

4.2.2 BestCrypt for Windows

Similarly to TrueCrypt this version of BestCrypt support Virtual Disk/Volume Encryption and Full Disk En-cryption. It offers even more parameters for virtual disks like authentication method (password based, publickey or shared secret) and hash functions (most notably SHA-256).

Also in this version there is a graphical user interface with a control panel listing all the mounted volumesand the disk images that are possible to be mounted.

4.3 Operating System Integrated Solutions

Here is a presentation of the main security features for storage devices already present in current operatingsystems.

4.3.1 Linux - dm-crypt

Linux world shifts continuosly and new features regarding cryptography are added to the kernel very often.However there is one standard tool to manage the encrypted devices: dm-crypt which stands for Device Mapper for (en)Cryption . It is a kernel tool that maps encrypted disk to standard device les and while authenticationand encryption is performed externally by tools like cryptsetup .

The format in which the container or the volume is encrypted is standardized by the LUKS project ( LinuxUnied Key Setup ). In this way the container can be created, mounted, managed by different software, even ondifferent operating system; for example FreeOTFE for Windows is capable of handling virtual disks created inLinux and the disks created by FreeOTFE can be mounted in Linux systems.

cryptsetup is capable of creating Volume Encryption devices and with Virtual Containers even if thelatter requires a loop device already available (operation usually done with losetup ; for more informationsee 1.2.4 or consult [3]). Since it works with dm-crypt which is close to the kernel, it can create encryptedroot systems with the Pre-Boot Authentication. This is usually done by editing the bootloader and creating (ormodifying if existing) and the initrd.img le; at start up initrd.img is loaded before the kernel and


14/22

4.4 Final Benchmarks 13

it generates a subsystem for user authentication, aftet which the system is dynamically decoded and loaded.Regarding this process there is very detailed guide at [7].

The syntax for cryptsetup is a little more complicated with respect to other solutions and there ispractically no wizard at all. When dealing with Volume Encryption in general it is necessary to add the prexluks to standard operation (open, mount, create) and to dene the hash and cipher from command line (default

AES, RIPEMD-160). The lesystem supported are the same supported by the operating system in which thecontainer is created.

4.3.2 Windows - EFS

On Windows system the main le system is NTFS ( New Technology File System ) and it does support encryptionthrough EFS ( Encrypted File System ); on top of a NTFS lesystem the metadata of the le (or folder) is changedand the content associated is encrypted with AES-256 (optionally with 3DES or DESX). This feature has beenintroduced since Windows 2000 and improved in later versions of the system.

The latest version supports multiple shared encrypted les, authentication with publc certicate and withsmart card and encryption of the swap le.

From the point of view of the security, this system is quite laking as the le can still be modied externally(for example renamed) and the le name can still be read (possibly disclosing its content). On the other hand,from the point of view of simplicity, this system is very easy to use, as the steps for encrypting a le are justthree: right-click on the le to encrypt. click on Advanced and then check Encrytpt contents to secure data .

4.3.3 Mac OS X - FileVault

Machintosh systems offer data protection for the whole home folder of the user; this is generally good, sincethe user doent have to select which les to protect. However one of its main drawbacks is that solely the homefolder is protected, while the rest of the operating system is unprotected; so there is no Full Disk Encryptionsupport and preservation of the encryption of data on external devices is impossible.

The adopted algorithm is the Advanced Encryption Standard with a 128 bit key derived directly from theusers password; when the user is logged on the system, there is no need for insertion of a password, making thissolution very transparent. It is also possible to set up a master password for unlocking or restoring a FireVaultaccount, very usefult for recovery. The system implements a Virtual Disk Encyption method as it creates acontainer of expandable dimensions, moves the contents of the home folder there, encrypts the container andmounts it where the home folder was previously located.

This solution is easy to enable, in System Setting , click Security and then Activate FileVault . Latest versionsof this software were addressing the performance impact which has been drastically reduced over time. Formore information please consult [8].

4.4 Final Benchmarks

In order to understand the performance impact of the different solutions, several tests were run over the en-crypted le systems; more precisely the time was recorded to perform the following operations:

1. write 1 le of dimension 1B, 1kB, 10kB, 100kB, 1MB, 10MB with sequences of 1 byte;

2. write 1 le of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 1024 bytes;

3. write 1 le of dimension 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 4096 bytes;

4. write 100 les of dimension 1B, 1kB, 10kB, 100kB, 1MB with sequences of 1 byte;

5. write 100 les of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB with blocks of 1024 bytes;

6. write 100 les of dimension 100kB, 1MB, 10MB, 100MB with blocks of 4096 bytes.


15/22


The tests for Full Disk Encryption were run on a Windows XP machine, Intel Pentium 4 HT 3,8GHz with2 GB of RAM, 10000rpm 40 GB SATA disk with NTFS.

The tests for Virtual Disk/Volume Encryption were run on a Ubuntu Linux 7.10 machine, Intel Core 2 Duo2,8GHz with 2 GB of RAM, 7200rpm 10 GB SATA disk. The lesystem adopeted for the tests was FAT so tomantain a layer of compatibility among the different solutions.

4.4.1 Volume Encryption

This test put in comparison the performance of physical volumes encrypted with TrueCrypt, BestCrypt andcryptsetup with the performance of a plain lesystem (FAT). Here is the result of the tests (time expressed inseconds), followed by some analysis:

X X

X X

X X

X X X

X X File size

Softwarevfat TrueCrypt BestCrypt cryptsetup

1 B 0,016 0,015 0,015 0,0151 kB 0,021 0,021 0,025 0,022

10 kB 0,76 0,075 0,074 0,068100 kB 0,567 0,539 0,542 0,5471 MB 5,389 5,478 5,291 5,35910 MB 54,261 56,157 5,473 55,574

Table 4.1: Volume Encryption perfomance test #1 (one le from single bytes).

X X

X X X

X X

X X

X X File size


1 kB 0,015 0,015 0,014 0,01610 kB 0,015 0,015 0,015 0,016100 kB 0,02 0,016 0,016 0,0181 MB 0,03 0,28 0,032 0,03410 MB 0,131 0,135 0,136 0,137100 MB 1,2 1,4 3,688 5,1681 GB 19,005 41,96 53,253 77,424 GB 48,899 156,476 200,418 421,747

Table 4.2: Volume Encryption perfomance test #2 (one le from blocks of 1024 bytes).

X X X

X X

X X

X X

X X File size


100 kB 0,028 0,026 0,015 0,0171 MB 0,029 0,029 0,022 0,02510 MB 0,101 0,088 0,104 0,093100 MB 0,915 1,17 3,328 5,7721 GB 32,044 39,585 39,592 133,9614 GB 41,316 153,541 161,019 404,589

Table 4.3: Volume Encryption perfomance test #3 (one le from blocks of 4096 bytes).


16/22


X X

X X X

X X

X X

X X File size


1 B 0,715 0,715 0,093 0,7741 kB 1,354 1,559 1,683 1,32410 kB 6,800 6,668 7,432 6,631

100 kB 55,231 54,039 55,318 60,4181 MB 210,284 562,170 553,444 543,940

Table 4.4: Volume Encryption perfomance test #4 (multiple les from single bytes). X

X X

X X

X X X

X X X

File sizeSoftware

vfat TrueCrypt BestCrypt cryptsetup

1 kB 0,396 0,829 0,905 0,76510 kB 0,398 0,731 1,019 0,831100 kB 0,545 0,825 1,259 0,957

1 MB 2,485 3,090 5,492 5,75710 MB 24,901 34,569 59,463 126,050100 MB 158,549 694,73 452,373 1034,821

Table 4.5: Volume Encryption perfomance test #5 (multiple les from blocks of 1024 bytes).

X X X

X X

X X

X X X X

File sizeSoftware


100 kB 0,892 0,873 0,959 0,9911 MB 2,461 2,192 6,560 5,26010 MB 14,417 37,550 62,043 60,748100 MB 143,273 425,355 391,263 968,217

Table 4.6: Volume Encryption perfomance test #6 (multiple les from blocks of 4096 bytes).

Conclusions

From the data of above it is possible to notice that the greatest overhead is tangible when dealing with lesgreater than 100 MB. Most of the the slowness is due to the old architecture of the targe le system (FAT), butfor small les there actually no sensible performance loss. Instead for large les (over the gigabyte) the writetime is as much as 10 times greater, but generally is only three or four time slower.

Overall, the analized software performed quite well, sometimes even performing better than the plainlesystem, but every solution has problems with large les: cryptsetup is the wrost when dealing with largeles, but on the other hand it performs slightly better than others for small les, especially sequential ones;TrueCrypt sustained perfectly all the tests for single les, but was outdo by BestCrypt for handling sequentialles; moreover BestCrypt incredibly enhances the performance of le system for les generated by single bytesof considerable dimension (10MB) most likely thanks to heavy buffer usage.

4.4.2 Virtual Disk Encryption

This series of tests continues the analysis of presented programs (TrueCrypt, BestCrypt and cryptsetup) bychecking the virual container imlpementation. This time there is an unevitable perfomance loss, because con-

tainers reside on top of another le system and every opeation must go through a virtual device and then to aphysical one.

The le system of the target containers is always FAT, guaranteeing coherent tests among the differentsoftware. In the following tables the rst column describes again the perfomance of a standard FAT disk, inorder to fully understand the differnt behaviour.


17/22


X X

X X X

X X

X X

X X File size


1 B 0,016 0,019 0,009 0,0151 kB 0,021 0,021 0,018 0,02210 kB 0,076 0,074 0,070 0,069100 kB 0,567 0,554 0,516 0,5631 MB 5,389 5,610 5,359 5,22910 MB 54,261 45,882 27,297 30,505

Table 4.7: Virtual Disk Encryption perfomance test #1 (one le from single bytes).

X X

X X

X X

X X X X X File size


1 kB 0,015 0,016 0,017 0,01510 kB 0,015 0,016 0,016 0,017100 kB 0,020 0,017 0,016 0,0181 MB 0,030 0,034 0,031 0,02810 MB 0,131 0,134 0,133 0,129100 MB 1,200 4,541 5,354 9,6051 GB 19,005 60,163 70,150 131,1134 GB 48,999 256,588 286,357 504,603

Table 4.8: Virtual Disk Encryption perfomance test #2 (one le from blocks of 1024 bytes). X

X X

X X

X X X

X X X

File sizeSoftware


100 kB 0,026 0,016 0,017 0,0151 MB 0,029 0,025 0,023 0,02410 MB 0,101 0,096 0,099 0,131100 MB 0,915 4,550 5,514 15,9811 GB 32,044 54,415 66,656 122,6054 GB 41,346 261,346 264,723 439,648

Table 4.9: Virtual Disk Encryption perfomance test #3 (one le from blocks of 4096 bytes).

X X X

X X

X X

X X

X X File size


1 B 0,715 0,886 1,071 0,8881 kB 1,354 1,558 1,511 1,94610 kB 6,800 7,154 7,226 8,078100 kB 55,231 56,646 56,108 58,1251 MB 210,284 559,804 559,919 571,746

Table 4.10: Virtual Disk Encryption perfomance test #4 (multiple les from single bytes).


18/22


X X

X X X

X X

X X

X X File size


1 kB 0,396 0,843 0,944 0,83010 kB 0,398 0,805 0,892 0,902100 kB 0,545 1,057 1,122 1,156

1 MB 2,485 8,366 9,030 13,32010 MB 24,901 69,124 86,329 118,151100 MB 158,549 694,730 702,611 2422,278

Table 4.11: Virtual Disk Encryption perfomance test #5 (multiple les from blocks of 1024 bytes).

X X

X X

X X

X X X

X X File size


100 kB 0,892 0,872 0,959 0,8611 MB 2,461 7,871 6,560 11,762

10 MB 14,417 61,775 62,043 86,259100 MB 143,273 681,704 699,120 1007,887

Table 4.12: Virtual Disk Encryption perfomance test #6 (multiple les from blocks of 4096 bytes).

Conclusions

As stated before, the perfomance is heavily decreased even for small les, expecally sequences. The le sizethreshold is again 100 MB, but this time the slowdown consists in 4 to 6 times for big les and up to 15 timesfor sequential les with respect to a standard lesystem.

The charcteristics of the previous results are mantained: cryptsetup behaves better with small les butis almost unusable with large ones, BestCrypt is fantastic for les generated by single bytes, and TrueCryptperforms quite well in most cases.

4.4.3 Full Disk Encryption

Another feature of the described programs is that they can encrypt the drive where the operating system isinstalled on, implementing a Full Disk Encyrption solution. The measures checked the performance impact atsystem boostrap and under normal workload by running the tests of above ( 4.4).

P P

P P

P P

P P P

TestSoftware

no encryption TrueCrypt BestCrypt

Boot time 32,670 38,014 37,017

Table 4.13: Full Disk Encryption boot time test.

X X

X X X

X X

X X

X X File size

SoftwareNTFS TrueCrypt BestCrypt

1 B 0,068 0,070 0,0701 kB 0,111 0,110 0,11010 kB 0,467 0,466 0,465100 kB 4,028 4,107 4,047

1 MB 39,745 43,150 41,615

Table 4.14: Full Disk Encryption perfomance test #1 (one le from single bytes).


19/22


X X

X X

X X X

X X

X X File size


1 kB 0,069 0,070 0,06810 kB 0,068 0,071 0,069100 kB 0,074 0,076 0,0731 MB 0,115 0,120 0,11610 MB 0,540 0,560 0,551100 MB 6,113 7,630 7,2391 GB 60,042 61,478 60,6214 GB 302,336 293,174 281,187

Table 4.15: Full Disk Encryption perfomance test #2 (one le from blocks of 1024 bytes).

X X X X X

X X

X X

X X File size


100 kB 0,070 0,068 0,0681 MB 0,088 0,093 0,09010 MB 0,296 0,422 0,302100 MB 6,369 6,340 5,5341 GB 49,240 76,514 78,7604 GB 192,774 300,575 292,575

Table 4.16: Full Disk Encryption perfomance test #3 (one le from blocks of 4096 bytes).

X X

X X

X X

X X X

X X File size


1B 3,165 3,310 3,2161kB 6,976 6,875 6,85310kB 41,742 42,013 41,870100kB 390,910 391,540 389,477

Table 4.17: Full Disk Encryption perfomance test #4 (multiple les from single bytes).

It was not possible to run the 1 MB les test due to the excessive metadata information stored in NTFS le systems when generating

les from single bytes.

X X

X X X

X X

X X

X X File size


1kB 2,938 3,100 3,03910kB 2,973 2,735 2,279100kB 4,971 3,504 3,4541MB 7,730 7,947 7,74310MB 53,159 55,867 59,974100MB 704,645 737,143 727,411

Table 4.18: Full Disk Encryption perfomance test #5 (multiple les from blocks of 1024 bytes).


20/22


X X

X X X

X X

X X

X X File size


100kB 3,191 3,258 3,2521MB 5,291 5,679 5,58010MB 32,397 33,947 34,130

100MB 684,864 728,103 717,615

Table 4.19: Full Disk Encryption perfomance test #6 (multiple les from blocks of 4096 bytes).

Conclusions

It is possible to notice that the overall performance is not heavily chocked: small and big les dont suffer at allfrom encryption, even sequential le write is not harmed, while only extremely large les are actually lightly jeopardized.

BestCrypt performed really well in the tests and the operations for setting up the encrypted system were very

basic. Moreover this software supports memory and swap encryption and suits well in dual boot environments,as it installs a bootloader of its own. Protection is very well performed and in addition, if someone types awrong password at PBA it is reported that there has been an attempt to access the computer.

On the other hand TrueCrypt performed a little worse than BestCrypt and during the set up process incom-patibilies are likely to happen: for example there is no support for dual boot environments and the swap le isnot encrypted. However it integrates well with operating system as it perform several checks over the hardwarebefore starting the process and forces the user to create a rescue disk containing information about the backedup the master boot record.


21/22

Bibliography

[1] K. Scarfone, M. Souppaya, M. Sexton, Guide to Storage Encryption Technologies for End User Devices ,NIST Special Pubblication 800-111, 2007

[2] A.Silberschatz, P. B. Galvin, G. Gagne, Operating Systems , Chapter 10-11, Pearson Addison-Wesley, VIIEd., 2006

[3] Wikipedia, the free encyclopedia, Loop device ,

http://en.wikipedia.org/wiki/Loop device

[4] Wikipedia, the free encyclopedia, Full disk encryption ,http://en.wikipedia.org/wiki/Full disk encryption

[5] TrueCrypt, TrueCrypt Documentation ,http://www.truecrypt.com/docs

[6] Wikipedia, the free encyclopedia, Comparison of disk encryption software ,http://en.wikipedia.org/wiki/Comparison of disk encryption software

[7] Gentoo-Wiki, Security - System Encryption dm-crypt with LUKS ,

http://gentoo-wiki.com/SECURITY System Encryption DM-Crypt with LUKS[8] Mac OS X 10.4 Help, About FileVault

http://docs.info.apple.com/article.html?path=Mac/10.4/2n/mh1877.html

20


22/22

Appendix A

Test script

The tool for running the test was this simple shell script algon with the time utility:

#!/bin/bash

for ((i=0;i

Techniques and Solutions for Storage Encryption

Documents

Transcript of Techniques and Solutions for Storage Encryption