Slashdot Mirror
GBDE-GEOM Based Disk Encryption on FreeBSD
BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."
FileVault is an encrypted disc image that is automatically mounted when you login.
It uses AES encryption (128 bit)
Its been written within Apple, using existing Apple technologies.
Using Disc Utility you can do the same on Jaguar, except Panther and FileVault make it very easy to do....
OpenBSD does not support SMP either.
BOO! TERRO
If you read the article, you'd notice several things:
a) this is completely different from OpenBSD's implementation
b) it's portable across filesystems
c) you wouldn't have written this idiotic post.
Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.
Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.
Actually, the NIST and NSA are quite open with information about these algorithms.
Think before you speak.
www.sitetronics.com/wordpress
I suggest you actually read the paper and you'll see that this is not exactly the same. GBDE has far more security levels, is easier to setup and use and can be considered safer too. Again, read the paper to see what I'm talking about.
1) GBDE has been available for months. Had you talked about GEOM-Gate, now that would have been interesting.
2) Poul-Henning suffers from extreme NIH complex. This crypto support has been in OpenBSD for 2 years.
3) Do you think he will let anyone touch his code? He didn't for phkmalloc and that piece of shit called devd, what makes you think he will now?
Poul-Henning is probably the most arrogant person I've ever seen. He has negatively influenced FreeBSD in a way I cannot even describe. Now go and mod me down, because I now use NetBSD for all my machines.
Alan
I believe it's a typo in the paper. The actual
hash function used is SHA, not RSA (see below
in the same paragraph that mentions RSA)
GBDE is *not* the same as the other solutions
you mentioned, it is much more secure. Please
read the paper for details if you want to know
why.
I thought this was a bad idea, since RSA is non probabilistic.
A hash function is not supposed to be probabilistic, a hash function must be deterministic, otherwise it wouldn't work. Of course using RSA for hashing is a bad idea not only because of performance, but also because RSA is not a hash function.
When used as a hash, you've got neither semantic security nor indistinguishability.
Semantic security is a concept used about encryptions not hashes. To get semantic security an encryption needs to be probabilistic. RSA is not probabilistic, neither is any symetric block cipher. But they can be used as building blocks in semantic secure encryptions.
Do you care about the security of your wireless mouse?
Windows XP also has it.
Only with the addition of 3rd party products (ScramDisk, PGPDisk, DriveCrypt, BestCrypt etc) - the build in encryption ISN'T drive encryption, but file encryption...
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Nah, that's a typo. Read further into the paper and you can see they mean SHA2/512 rather than RSA2/512.
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Lots of operating systems have had disk-at-a-time encryption. You can already get it for Windows, but that was apparently not good enough to have that PPT junkie use it either.
Disk-at-a-time (or file-system-at-a-time) encryption just doesn't seem to be convenient enough. Most files simply do not need to be encrypted, and the risk of losing an entire disk due to bugs or losing the pass phrase is just too high, as is the computational cost. People need to be able to decide on a per-file basis what gets encrypted and pick different pass phrases for different files.
In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks. You can build that on top of Plan 9's file system hooks or on top of the CODA hooks in the Linux kernel. Something like the Plastic file system for Linux also would work. But it can also be done at the kernel level; ReiserFS may get file-at-a-time encryption soon.
By the way, if you do want disk-at-a-time encryption, StegFS strikes me as a better choice.
Is it possible to do that (instead of just keeping parts of the key on an usb storage device) with freebsd/GBDE?
I think some ibm thinkpad T30 come with TCPA chip which could (at least theoretically) work as such a token, too.
The paper explains this at length (but I guess that the respondent didn't actually read the paper). The primary focus in GBDE was usability and deployability. Most of the prior art in this space cannot even change the pass-phrase without reencrypting the entire disk (which can easily take an entire day).
I wanted to do better than that, and I think I did. By a wide margin.
RSA vs. SHA.
Correct, that is a typo, it is SHA2 which is used.
AES, zero IV etc.
An important part of GBDE is that there is no two-way leverage on any crypto component. This is realized by the use of single-use random bit sector keys. With no two-way leverage and single-use keys, the IV is no longer important.
The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.
I'll be more than happy to discuss any aspect of GBDE, and would very much like to hear peoples experience and ideas. But I would prefer email (if need be by setting up a mailing list)
Poul-Henning Kamp -- FreeBSD since before it was called that...
No, you got that wrong. GBDE can also encrypt a partition. This means you create one partition when installing your system that you will encrypt, where you keep your private files. This makes it a lot easier to use than any application level interface (be it PGP/GPG/whatever). This is also explained in the paper, but I guess you didn't read that before commenting.