GBDE-GEOM Based Disk Encryption on FreeBSD

BSD Forums writes "The ever increasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unauthorised access to data stored on a 'cold' disk for decades and longer. GBDE operates on the disk(-partition) level allowing any type of file system or database to be protected. A significant focus has been put on the practical aspects in order to make it possible to deploy GBDE in the real world. FreeBSD's Poul-Henning Kamp says in an email to freebsd-current that he has uploaded this paper and slides which he presented at BSDcon 2003, California, USA."

Filevault is Encrypted Disc Images.

[cmdrbuzz]

FileVault is an encrypted disc image that is automatically mounted when you login.
It uses AES encryption (128 bit)
Its been written within Apple, using existing Apple technologies.
Using Disc Utility you can do the same on Jaguar, except Panther and FileVault make it very easy to do....

Re:Again someone reinvents Theo's ideas.

[Eric+Ass+Raymond]

OpenBSD does not support SMP either.

Re:Again someone reinvents Theo's ideas.

[dodell]

If you read the article, you'd notice several things:

a) this is completely different from OpenBSD's implementation
b) it's portable across filesystems
c) you wouldn't have written this idiotic post.

Additionally, you obviously know nothing about cryptography, otherwise you'd not make such a stupid assumption about Rijndael, an OPEN algorithm developed outside the United States. It's been out for years and many people have failed miserably when trying to cryptanalyze it.

Additionally, it's also interesting to note that *NO* algorithms available in the mcrypt library are authorized for encryption of 'classified' data, by the NSA. Rijndael is authorized for encryption of 'highly sensitive' and some forms of 'classified' data.

Actually, the NIST and NSA are quite open with information about these algorithms.

Think before you speak.

Re:linux has had this for years

[avleeuwen]

I suggest you actually read the paper and you'll see that this is not exactly the same. GBDE has far more security levels, is easier to setup and use and can be considered safer too. Again, read the paper to see what I'm talking about.

Re:They say they're using RSA..

[kasperd]

I thought this was a bad idea, since RSA is non probabilistic.
A hash function is not supposed to be probabilistic, a hash function must be deterministic, otherwise it wouldn't work. Of course using RSA for hashing is a bad idea not only because of performance, but also because RSA is not a hash function.

When used as a hash, you've got neither semantic security nor indistinguishability.
Semantic security is a concept used about encryptions not hashes. To get semantic security an encryption needs to be probabilistic. RSA is not probabilistic, neither is any symetric block cipher. But they can be used as building blocks in semantic secure encryptions.

Re:Interoperability issues

[ssimpson]

Windows XP also has it.

Only with the addition of 3rd party products (ScramDisk, PGPDisk, DriveCrypt, BestCrypt etc) - the build in encryption ISN'T drive encryption, but file encryption...

Re:They say they're using RSA..

[ssimpson]

Nah, that's a typo. Read further into the paper and you can see they mean SHA2/512 rather than RSA2/512.

master key strorage?

[graf0z]

As far as i understood, GBDE uses - like many other crypto systems - different keys on different levels. There are "master keys" for protecting "sector keys". The master keys are only used for key-encryption, so they should be usable in slow crypting devices like cryptocards or usb cryptodongles. Since the master key never leaves such a token (master key operations are performed on an embedded chip), even a trojan with root privileges could only read data while the token is attached (in a way, they are "--x------"). Some of these cryptotokens even have an own input device (PIN-keypad) such that the passphrase for unlocking the keys cannot be sniffed.

Is it possible to do that (instead of just keeping parts of the key on an usb storage device) with freebsd/GBDE?

I think some ibm thinkpad T30 come with TCPA chip which could (at least theoretically) work as such a token, too.

/graf0z.

Re:disk-at-a-time encryption no good

[airConditionedGypsy]

In fact, file-at-a-time encryption shouldn't be in the kernel, it is implementable in user code if you have the right hooks.

While it is certainly possible to easily implement file encryption at the user/application layer, I disagree that it should be. Matt Blaze pointed out a number of reasons why in his CFS paper back in 1993.

..if you do want disk-at-a-time encryption, StegFS strikes me as a better choice

StegFS is a neat concept; the only drawback there is the huge performance hit -- besides, the goal of stegFS isn't necessarily to support encryption; it is meant to support plausible deniability of file ownership, and those two goals are very different.

Poul-Henning replies...

[phkamp]

Lets see: NIH, OpenBSD, compatibility and all that.

The paper explains this at length (but I guess that the respondent didn't actually read the paper). The primary focus in GBDE was usability and deployability. Most of the prior art in this space cannot even change the pass-phrase without reencrypting the entire disk (which can easily take an entire day).

I wanted to do better than that, and I think I did. By a wide margin.

RSA vs. SHA.

Correct, that is a typo, it is SHA2 which is used.

AES, zero IV etc.

An important part of GBDE is that there is no two-way leverage on any crypto component. This is realized by the use of single-use random bit sector keys. With no two-way leverage and single-use keys, the IV is no longer important.

The comment about the "plausible denial" setup being useless because an intelligent adversary would always take a mirror copy first: That does not affect the plausible denial aspect.

I'll be more than happy to discuss any aspect of GBDE, and would very much like to hear peoples experience and ideas. But I would prefer email (if need be by setting up a mailing list)

Re:Poul-Henning replies...

[phkamp]

You're still missing the point :-)

The setup I describe is how a "plausible denial" scheme could be set up. The bit about making a windows boot run over the GBDE data is just normal paranoia, it is not in any way related to or material to the plausible denial argument.

I don't personally give much for "Plausible denial", finding a cover story for even a few megabytes of uncompressible bits will be very hard if not impossible with a skilled adversary.

Therefore I focused in GBDE on giving the user leverage to a defensible non-disclosure stance. For instance by wiping out the master sectors if given enough seconds of warning. And in particular I wanted to make sure the user were never put in an indefensible position of compliance like for instance StegFS can do.

For me it is important that people realize that GBDE is not a solution, it is a tool to implement solutions. With crypto there is no "one size fits all", only hard work and careful planning.

Re:disk-at-a-time encryption no good

[phkamp]

My main beef with StegFS, as I mention in my paper, is that it may put the user in a position from which innocence cannot be proven.

Re:CD-ROM encryption

[avleeuwen]

No, you got that wrong. GBDE can also encrypt a partition. This means you create one partition when installing your system that you will encrypt, where you keep your private files. This makes it a lot easier to use than any application level interface (be it PGP/GPG/whatever). This is also explained in the paper, but I guess you didn't read that before commenting.