NetBSD's Crypto-Graphic Disk

An anonymous reader writes "Security-minded laptop users live in fear of theft, not only of their computer but also of their precious secret data. NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem. Recently its author, Roland Dowdeswell, was interviewed and provided a lot of details, and made a comparison with Linux's Loop-AES, FreeBSD's GBDE, OpenBSD's svnd. This is a must-read for any laptop owner (and paranoid androids)!"

mutually exclusive?

[User+956]

So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

Re:mutually exclusive?

[cmdrbuzz]

If you are using Mac OS X then you have disk image encryption built in.

See FileVault for the automagic encrypted home directory

or see hdid for the command-line version of disk utility.

Re:mutually exclusive?

[pepdar]

Mac OS X is a *nix OS.
It also features an encrypted file system, FileVault.

Re:mutually exclusive?

[User+956]

Mac OS X is a *nix OS.

No, Mac OS X is a BSD. There's a difference.

Re:mutually exclusive?

[tamnir]

That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt. Not only is it open source and cross platform (Windows/Linux), but it also happens to simply rock, surpassing many commercial products, with lots of nice features like the use of keyfiles, or for the true paranoid, cascade encryption (like AES-Blowfish-TripleDES) and plausible deniability (hidden volume).

Re:mutually exclusive?

[BokLM]

But what of those of us that have to use windows, or Mac OS X?

Thoses who use windows don't care about security, or they would be running something else. They don't need that.

Re:mutually exclusive?

[thebdj]

Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

In reality, it is probably still safe to call it a *nix, only the BSD zealots would like us to separate it into a "BSD", which is about as anal as separating the Linux distributions into different groups.

BTW, your original post compared it to *nix operating systems and complained about OSX. The Article refers to this about NetBSD, therefore making your statements a bit mixed.

The folks over at Wikipedia seem to agree with us on this one.

Re:mutually exclusive?

[gigel]

those of us that have windows (2000,xp,2003,vista) already know how to use the encrypting file system. if this http://www.iopus.com/guides/efs.htm quick howto does not make sense, then you cand find here http://tinyurl.com/dpy5n tons of microsoft documentation on it.

Re:mutually exclusive?

[croddy]

If Mac OS X is a BSD, then it's the only one without a /proc filesystem.

Re:mutually exclusive?

[muhgcee]

Give me a break. If you say something like that, it simply shows that you don't know how to administer Windows very well.

Re:mutually exclusive?

[Riddlefox]

How good is the EFS in XP? I recall that in W2K, it wasn't exactly a fool-proof way to keep people from accessing your files (especially on a laptop, where people could have physical access to the machine), due to the way the RA was set up...

Re:mutually exclusive?

[Theatetus]

Install Open, Free, or NetBSD sometime and look for the /proc filesystem. It's not there.

Re:mutually exclusive?

[lachlan76]

Moreso than Linux. BSD is based on the original AT&T source code, although it was mostly rewritten over the years.

Re:mutually exclusive?

[muhgcee]

I run Windows on my main desktop, and know how to do it well. I don't spend time daily administering my machine. I simply set it up correctly the first time. After installing Windows and all of my apps, I go through the list of processes that start on boot and only keep what I need. This is a basic strategy that administrators of *all* OSes (even "secure" ones) should use.

Combine this with being a smart user, and your system will be plenty secure. I don't even run anti-virus software. Never have. Never had a virus either.

Re:mutually exclusive?

[kasperd]

That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt.

TrueCrypt is vulnerable to watermarking attacks. Some time ago I created a watermarked file to demonstrate this weakness. If you put this file on a file system encrypted with TrueCrypt, some easily recognizable patterns will show up in the encrypted container. You simply take each pair of neighbor sectors in the encryption and XOR them with each other. When you reach the place where this file is located, the result is easily distinguishable from random.

Re:mutually exclusive?

[Lee_in_KC]

Oh come ON, who modded the parent +5 informative for a one line troll bait?

Re:mutually exclusive?

[kasperd]

This seems like it's only compatible with *nix OSes.

In Unix terms you would say, that these encryptions works on the block device layer. But that doesn't mean it cannot be done in other operating systems. AmigaOS had a similar concept, and I'm sure Windows has one as well. I don't know what it is called in Windows, but it is bound to exist because it is so tightly related to the way storage devices work. And there already exist multiple disk encryptions for Windows working on this layer.

Re:mutually exclusive?

[kasperd]

TrueCrypt is vulnerable to watermarking attacks.

I took a look through the list of new features in TrueCrypt 4.1, and apparently it has been improved to avoid watermarking attacks. So my previous comment only applies to volumes created with TrueCrypt 4.0 and earlier. I have not looked through the documentation and source to verify how secure the new mode is.

Re:mutually exclusive?

[LizardKing]

Install Open, Free, or NetBSD sometime and look for the /proc filesystem. It's not there.

Yet more ill informed Linuxite bull.

[chris@hooters]$ uname
NetBSD
[chris@hooters]$ mount
/dev/wd0a on / type ffs (noatime, nodevmtime, soft dependencies, local)
procfs on /proc type procfs (local)

Re:mutually exclusive?

[trifish]

This problem was fixed a month ago.

http://www.truecrypt.org/history.php

Re:mutually exclusive?

[trifish]

EFS is file encryption (which uses temp files). It is not on-the-fly disk encryption. There's a significant difference between those two concepts.

Re:mutually exclusive?

[lky]

Loop-AES is not the current recommended way of doing this on GNU/Linux.

For the current method, check out device-mapper, dm-crypt and cryptsetup.

For more information, check out: http://www.saout.de/misc/dm-crypt/

And for a guided howto install Debian on a USB stick with everything but /boot encrypted, check out: http://www.debian-administration.org/articles/179

Re:mutually exclusive?

[Randseed]

Of course, they didn't bother to write a program to create a TrueCrypt volume under Linux, so for right now this program is utterly useless.

Re:mutually exclusive?

[kasperd]

I guess you will also somehow "accidentally" forget to mention on your site that the watermark attack does not work anymore

Nowhere on my site is it said, that TrueCrypt is still vulnerable (or even that it ever was). Do you think TrueCrypt is the only encryption which has been vulnerable to this attack? The first time I looked on cryptoloop for Linux (in February 2002), it was vulnerable to the exact same attack. I have mentioned two implementations that apparently independent of each other had the same vulnerability. That means there is a significant risk that some of the many other disk encryptions are also vulnerable.

The file I provided contains not just one watermark but a lot of them. There are a few minor variations with byte ordering, padding, and cipherblock sizes. It is convenient to be able to test an implementation without knowing these details beforehand. The file can still be used to perform such tests. (Of course passing this test doesn't prove an implementation is secure, but failing does prove it is weak).

Re:mutually exclusive?

[latroM]

Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

Actually GNU's Not Unix. It is a system which behaves in the same, compatible way, not a derivate. Linux is a kernel.

Re:mutually exclusive?

[Theatetus]

Umm, yes if you install the Linux compatibility package for Open, Free, or NetBSD you'll have a /proc filesystem. It doesn't come that way naturally, though.

Re:mutually exclusive?

[Fweeky]

proc/linprocfs are part of the base system, they just aren't mounted by default:

-# grep PROC /usr/src/sys/amd64/conf/GENERIC
options PROCFS # Process filesystem (requires PSEUDOFS)
options LINPROCFS # Cannot be a module yet.

Re:mutually exclusive?

[Poltras]

shut up.

Re:mutually exclusive?

[digitalunity]

I don't even run anti-virus software. Never have. Never had a virus either.

How do you know?

A well written virus wouldn't even have symptoms of it's existence... You could have a root-kit right now and not even know.

Re:mutually exclusive?

[TCM]

Could you stop spreading bullshit if you obviously have no clue? Thank you very much.

Re:mutually exclusive?

[Chreo]

No procfs is a separate option when you edit the kernel config on FreeBSD. It is REQUIRED when using Linux compatibility tho but you can use procfs whitout the Linuxcompat

Re:mutually exclusive?

[krakrjak]

Actually Linux is not a derivative like BSD is. All BSDs and all commercial Unicies (HP/UX, AIX, Solaris, VMS, etc.) can trace their lineage back directly to AT&T Unix. Linux does not have this direct lineage. It was grown out of the workalike needs of one particular developer. Therefore it is wrong to say that Linux is a Unix derivative whereas, MACH, the BSDs and all commercial Unicies are definately derivatives.

Re:mutually exclusive?

[LizardKing]

As others have pointed out, procfs is not a Linux compatability thing, although many Linux binary emulation packages require it. I have Linux binary support turned off in my kernel config as I only used it to bootstrap the build of a native JDK with Sun's Linux one. Also, if you do have proc mounted for Linux emulation it isn't /proc anyway, it's /emul/linux/proc

Re:mutually exclusive?

[Nutria]

All BSDs and all commercial Unicies (... VMS, etc.) can trace their lineage back directly to AT&T Unix

Bemused snikering at people who have forgotten what VMS is, and how important DEC was to the growth of computing.

Re:mutually exclusive?

[BitchKapoor]

Apple hasn't always used Mach. Mach came to Apple via NeXT(Step). MacOS versions up to 9 used cooperative multitasking, and early versions didn't even have any memory protection (later versions had "guard pages," but no true application isolation).

Paranoid Android?

[fionbio]

Why do you think that Marvin's brain was running NetBSD? Otherwise, what use could he make of a laptop, with his "brain the size of a planet" ?

Re:Paranoid Android?

[Urusai]

What he doesn't clarify is that the planet in question is the NPC Democratus from Anachronox. The movie makes this somewhat clearer.

Interesting but not exactly new news

[Ffakr]

This is interesting and all, but this isn't exactly a ground-breaking news item.
PGP lets you do this on various platforms.
As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information. When I need something I mount it and when I'm done I umount it and it's nice and safe (as long as I never tell Keychain to remember the password).
You can do this on a vanilla OS X install with Disk Utility.

ffakr

Re:Interesting but not exactly new news

[BokLM]

PGP lets you do this on various platforms.

PGP lets you encrypt a file, not a filesystem.

Re:Interesting but not exactly new news

[nighty5]

The grand parent is correct, you can encrypt the entire filesystem: under Windows XP.

A new feature of PGP 9.0.

Re:Interesting but not exactly new news

[Riddlefox]

PGP had a feature that allowed you to create encrypted volumes. I know in PGP 8.0, it wasn't part of the 'free' version, but it could be unlocked when you registered.

Re:Interesting but not exactly new news

[PhraudulentOne]

I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information.

Pr0n...

Re:Interesting but not exactly new news

[jcr]

As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image

That has nothing to do with PGP. The Mac OS has had this feature since Panther, and the encryption it uses is AES-128.

-jcr

Re:Interesting but not exactly new news

[bot24]

There is also a secure note storage area in your keychain, and you can create new keychains(which can be locked when you aren't using them). The OS has the tools in it for creating it's own secure note storage areas already without creating disk images that take up unnecessary space.

Re:Interesting but not exactly new news

[grub]

There was a program called PGPDisk which was part of the PGP package ages ago. I don't know if it's still available but worked well. I kept 650 MB PGPDisks backed up onto CDRW.

Re:Interesting but not exactly new news

There's also some useful software from jetico (.com? I think..) that will create a encrypted file and allow it to be mounted as a file system across multiple OSes (e.g. create a 512meg encrypted file on a zip/thumb/external USB drive and mount it as a file system under linux and M$... there may be a mac client, although I wouldn't recall). The also have some decent wiping software and some other goodies. and I'm not even a salesman. :)

Re:Interesting but not exactly new news

[yarbo]

Your OS can't treat a file as a filesystem? bummer

Re:Interesting but not exactly new news

[BokLM]

It can, if it's not encrypted. If it's encrypted then it depends of the program used to decrypt the file.

Cool, but for who?

[jaymzter]

This is a great idea, honestly... but who runs NetBSD on their laptops? I'd posit that it's a relatively low amount of folks. So while this is cool, until the code migrates to a better known F/OSS OS it isn't much use in the real world.

Re:Cool, but for who?

[LurkerXXX]

So if someone writes a cool utility for Linux, I should just ignore it and say it doesn't matter until it's migrated to Windows, because Linux has such a small amount of folks using it compared to Windows.

Sorry, it is of use. Even if it isn't on the OS YOU choose to run.

Re:Cool, but for who?

[MobyTurbo]

This is a great idea, honestly... but who runs NetBSD on their laptops?

Actually, due to it's (at least at one time) better support for laptop features, many *BSD users chose it over FreeBSD. NetBSD may have less drivers quantitatively, but when it has drivers (and it has a decent amount), they are of very high quality.

questions to ponder

[digitaldc]

What happens if cdgconfig file is lost or damaged?
If you lose the cdgconfig file, is your data irrecoverable?
When it overwrites data, is it truly unreadable?
How taxing is this system, how long does it take to execute?
What happens when you lose your PW?
Are there knowledgable people in the same continent that can provide support for this?

Re:questions to ponder

[Aurix]

Simple answer really... You lose your data, that's why the interview tells you to back it all up.

Re:questions to ponder

[vidarlo]

What happens if cdgconfig file is lost or damaged? If you lose the cdgconfig file, is your data irrecoverable? When it overwrites data, is it truly unreadable? How taxing is this system, how long does it take to execute? What happens when you lose your PW? Are there knowledgable people in the same continent that can provide support for this?

If you loose your config, I guess (I don't know) that you easily can make a new config file. It'd be no problems to store the config on a set of superblocks on the volume, in a unencrypted fashion. When you overwrite encrypted data with more encrypted data, or unencrypted, it is as unreadable as before I'd guess. And if you loose your passphrase... Well, you're done. You could have it written down in a secure location, eh? But a good crypto system can't have backdoors, so if pp is lost, goodbye to data.

What about privileged users?

[MattPat]

NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem.

If it acts like a normal filesystem, that means that nothing special needs to be done to access it, provided you have an account with rights to use that filesystem (I'm assuming it needn't be root). So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

In retrospect, most BSD users probably don't keep their passwords on a sticky note inside their laptop like some Windows users I know...

Re:What about privileged users?

[BokLM]

So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

You mean, if I tell everybody my password, then it's no more secure ? Really ? Are you sure ?
I've been doing that for years, you scare me !

Re:What about privileged users?

[Eil]

I don't know how GCD in particular works, but with Unix disk encryption, the designers typically allow for the entire filesystem to be encrypted from root (/) on down. In this case, you are asked for a passphrase by the kernel or some utility before the relevant parts of your disk are "unlocked." System accounts don't even enter into it since /etc could very well (and probably should) be encrypted on a sensitive machine. The attacker can know your user password, root password, and the blood type of your first-born son, but they aren't going to get at your data any time soon without the encryption passphrase.

I've personally always found encrypted disks (Linux and BSD) to be more trouble than they're worth to set up. I realized long ago that I'm much better at just keeping sensitive data off my laptop rather than trying to keep it secure. If my laptop is ever stolen, the most valuable thing they'd walk away with (data-wise) are a few DS9 episodes and maybe logins to a few non-essential websites.

TrueCrypt for WIndows and Linux.

[Futurepower(R)]

TrueCrypt is disk encryption software for Windows XP/2000/2003 and Linux. Version 4.1 was released last month. It seems to have been designed by people who are VERY serious about encryption. For example, TrueCrypt "provides two levels of plausible deniability".

Re:TrueCrypt for WIndows and Linux.

[evanism]

For XP Cypherix's Cryptainer is pretty schmick too...

Re:TrueCrypt for WIndows and Linux.

Although I have not used TrueCrypt myself, I have serious doubts about the fundamental insights that its developers have in cryptography. To develop secure cryptography software, understanding of the algorithms much more important than actually implementing them.

Take for example the Truecrypt FAQ. They state that "On legacy volumes, which are encrypted in CBC mode, data within each sector (sector is 512 bytes) are chained so when a block becomes corrupted, each successive block within the sector will become corrupted as well."

Wrong. Using CBC (cipher block chaining), one corrupted encrypted block leads to two corrupted blocks after decryption, not an entire sector. This Wikipedia article explains it best: the red blocks indicate corrupted data.

I have not examined Truecrypt further, but I can imagine that there could be more cryptographical mistakes. The people developing Truecrypt may be great programmers, but apparently no (big-name) academic cryptographists are involved (or I must have overlooked them).

Personal note:

I'm a cryptography student at ESAT (K.U.Leuven, Belgium), where among other things AES (Rijndael) was developed. Although have not contributed to AES myself, I am being mentored by the same experts who were involved. Check my ip address if you want.

Re:TrueCrypt for WIndows and Linux.

[jbarr]

I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

Have a read of their FAQ and and you will see that a LOT of thought and effort has gone into this application.

Re:TrueCrypt for WIndows and Linux.

[trifish]

However, the question is whether the website and docs were written by the developers and designers of TrueCrypt or by their webmaster and docs maintainers.

They have a forum admin, forum moderators, etc, and the project is quite big so I doubt that the software devs/designers maintain the website and docs themselves.

Re:TrueCrypt for WIndows and Linux.

[trifish]

Not open source though (AFAIK). Closed source security = no real security.

Re:TrueCrypt for WIndows and Linux.

[trifish]

You forgot to write a very important thing:

TrueCrypt is open source and free (as in freedom and beer).

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

I use TrueCrypt, and it's great on a USB stick, but it does not provide encryption of the boot volume, which can be quite important (especially in Windows).

Re:TrueCrypt for WIndows and Linux.

[RedStar]

The statement you qoute is no longer present in the faq

Re:TrueCrypt for WIndows and Linux.

(grandparent replying)

The FAQ states it is: "Last Updated December 28, 2005".

Apparently the TrueCrypt team is very responsive. Congratulations!

Given the growing popularity of TrueCrypt and the apparently vibrant team behind it, I'm considering doing a full analysis of TrueCrypt from a cryptographic viewpoint. That is, as soon as I have the time (I'm quite busy now with my exams).

I wonder if there are other K.U.Leuven people involved with TrueCrypt, who maybe convinced the project team to include Whirlpool? Please reply. I know you are reading this thread or you wouldn't have updated the FAQ :-)

Re:TrueCrypt for WIndows and Linux.

[kasperd]

I have not examined Truecrypt further, but I can imagine that there could be more cryptographical mistakes.

There are other mistakes. TrueCrypt use the sectornumber for IV, which makes it vulnerable to watermarking. I mentioned this in another comment. This problem violates the plausible deniability mentioned by Futurepower.

Re:TrueCrypt for WIndows and Linux.

[mspohr]

The FAQ includes a method to encrypt the boot volume on Windows.

Re:TrueCrypt for WIndows and Linux.

[trifish]

That problem was fixed one month ago.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

That problem was fixed one month ago.

You are right. I just noticed that. I found the problem back in June when somebody asked me about the security of TrueCrypt. I haven't paid that much attention to TrueCrypt development in the meantime, because back then it could only be used with Windows. The fact that TrueCrypt appears to be bit more secure than it was back then and that it can now be used on both Windows and Linux means that maybe we should start paying more attention to it. At least I'll take a closer look on the mode being used. It is still deterministic and provides no integrity, but maybe it is strong enough for some scenarios.

Re:TrueCrypt for WIndows and Linux.

[trifish]

At least I'll take a closer look on the mode being used. It is still deterministic and provides no integrity

The new mode was recommended to them by several experts on sci.crypt (one of the experts was David Wagner, codesigner of Twofish).

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

Making a boot CD to run the OS is hardly a workable alternative. And the Windows SAM and registry would still be unencrypted, just on the CD, which will always be near the laptop.

My point is there are quite a few commercial products that do full-disk encryption, and Vista will include it as well. I presume they do this with code loaded from the MBR. Most can even encrypt an existing disk.

Full-disk encryption would be a killer feature, and make TrueCrypt much easier to use for the average business traveller. Until then, my organization is stuck with the closed source alternatives such as PGP desktop.

We are looking at the new hardware-encrypted laptop disks from Seagate, however.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

If you say you found it five months earlier, then I wonder why you did not contact the developers to tell them to fix it?
Because I had more important things to do (like finishing my PhD dissertation on disk encryption). And I didn't really care much as I couldn't use the software myself, since at the time it would only work on Windows. I did tell about it to a few users of the software. Apparently they didn't care enough about the problem to contact the developers.

I know by experience how hard it can be to get people admit that there is a security problem in some software they wrote. At that time I just didn't feel like spending much time on it.

Finally I must say, that although the situation has been improved, it is still deterministic. It has been proven that there will always exist attacks against such a scheme. And I found it much more valuable to continue my research on how to do something more secure.

You should prove what you say
Just read this thread on google groups.

IMO, you are probably just another liar.
That statement says more about you than about me.

Re:TrueCrypt for WIndows and Linux.

[whiskeypete]

My bigest fear with hardware encrypted laptop drives:

User: I forgot my password to my laptop. Can you reset it?
Tech Support: Sorry, the encryption is set at the disk level. You have lost all of your files.
IT Manager: Too many users are losing their encryption password. We will now have a default password that will be the same for all users.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

It would be great if someone translated it for those of us who speak only English and French.
You didn't trust me before, so would you trust that I gave a correct translation? Only English and French? You do read C don't you? In one of the comments you will find a small C program generating some of the watermarks. You doubted that I had found the problem back then. The fact that I did post a program demonstrating the weakness should be enough to prove that I knew about it.

In case anybody wonder about the text in that posting, it says that this is pretty simple, but it doesn't seem to work yet. But when I have more time I will try to modify TrueCrypt enough to make it compile with gcc, so I can see what happens. Further investigation showed, that the watermarks did in fact work. I had just been XORing the wrong encrypted sectors thus not noticing the patterns.

you told about the weakness only to "a few users" (instead of the developers)?
I told it to those who were asking the question.

Re:TrueCrypt for WIndows and Linux.

[Thundersnatch]

PGP Desktop allows multiple authentication methods per disk. Users can have USB tokens with a short passphrase, and IT can escrow a long, strong passphrase for recovery purposes.

I can only assume that the hardware-encrypted drives would have similar functionality (we haven't been able to get one yet for testing). Otherwise, those drives would be worthless to the security-conscious enterprises they're targeting as customers.

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Won't there always exist attacks against any practical scheme? I'd say TrueCrypt is (or will be, if you will) secure enough for many tasks, such as storing illegal downloads, private mail, password lists, and other non-life-threatening, non-military stuff.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

Won't there always exist attacks against any practical scheme?
It depends on your definition of attacks and practical. Serious research in the area operate with different kinds of access to the encrypted media. The weakest attack is the one where the adversary is just given read access to the media once. The strongest attack is one where the adversary controls the media and sees all writes, and decides what the media replies to all reads. They correspond to different scenarios namely the case of theft of an encrypted disk, and encrypted storage on an untrusted server.

With the recent improvements of TrueCrypt, it may already be secure enough for the weakest case. It clearly is not secure enough for storing the container on an untrusted server.

I say it may be strong enough because I haven't seen any attempt at formally proving this. Of course a formal proof would be nice. If I see one and is able to verify it, I will immediately start recommending LRW mode.

What is practical is not an easy question. Most existing implementations use a mode that does some kind of 1:1 mapping between logical and physical sectors. This does not give any significant cost in storage or I/O performance, and the CPU requirements is acceptable for many situations. I'd say this is practical.

Anything more complicated than such a 1:1 mapping have an additional cost in I/O performance. The additional CPU requirements does not appear to be much of a problem. GBDE has something slightly more complicated than a 1:1 mapping, and still it seems some people find it practical. I would have done a few things different from GBDE, but one of the modes I could come up with have same I/O patterns as GBDE and use a similar amount of CPU power.

But GBDE may have a problem with atomicity. And it still only focus on the theft scenario, it has no protection against a general passive attack or an active attack.

Most of the problems can be solved using journaling and various tree structures. Those are things that already exist in file systems, and as such I'd say they are practical from an I/O perspective. And the CPU requirement wouldn't have to be more than a factor of two compared to just encrypting each sector.

But that doesn't mean it is trivial to do. Because what I have mentioned here is a lot of layers which would each contribute to the performance overhead. Together it may turn out to give a too poor performance to be practical.

The layers could be integrated in a way that means you only need journaling in one place, and the trees used by the disk encryption closely match those used by the file system to avoid additional seeks. The problems with such an approach are that first of all it is no longer a general purpose disk encryption. Being tied to a particular file system means it should rather be considered an encrypted file system. But what I think is even worse is the fact, that it is a nightmare to provide a formal analysis.

Maybe somebody can come up with a good abstraction to built on top of a block device which is simple enough to encrypt and analyze, but OTOH sophisticated enough to provide all the journaling and tree structures needed by a file system.

Another problem with all of these models is, that no attempt is made to hide access patterns from an adversary monitoring the media. If the adversary knows which physical sector numbers you read and write, he can deduce which logical sector numbers you access. Currently the most efficient solution I know for this problem involves caching all of the data in RAM.

I'd say TrueCrypt is secure enough for many tasks, such as storing illegal downloads
Maybe it is now. But with the possibility of watermarking it wouldn't have been secure enough. How long before producers of for example software started watermarking it such that it could be recognized on an encrypted media?

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Well, by practical I mean usable.

I imagine that Truecrypt is used by individuals for the most part (a larger company would probably want something with more of a guarantee or contract). Now, while a lot of people have all kinds of spyware festooning all over, these are not the people who would know what Truecrypt is, anyway. A Truecrypt user is also likely to have the media in question reasonably sealed off from network access.

Thus, the scenario is that the media is on a computer that contains no adverse software, and that the media can only be compromised by physical access to the computer. Now, suppose that an attacker gets a copy of a volume and walks off with it, how strong an attack can be made? As far as I know, opening the volume should be as hard as breaking the used encryption, unless .. :

watermarking it such that it could be recognized on an encrypted media

Whoa, now. How does that work? Wouldn't that mean that the encryption used was weak in the first place?

In any case, to me it seems that the main concern with all disk encryption is precisely theft of a disk, what with company laptops wandering off on their own.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

Now, while a lot of people have all kinds of spyware festooning all over, these are not the people who would know what Truecrypt is, anyway.
If you are unable to protect your computer from spyware, then disk encryption is not going to help much anyway.

A Truecrypt user is also likely to have the media in question reasonably sealed off from network access.
Some disk encryptions actually state that you can keep the container on a different computer and access it using some networking file system. I have not yet seen a disk encryption which was secure enough to be used in that way. I don't think TrueCrypt claims to be usable in that scenario. But even making a backup of the container could be dangerous.

Now, suppose that an attacker gets a copy of a volume and walks off with it, how strong an attack can be made?
How much information does he need to get from the disk? Getting everything from the disk may be difficult. But if he just wants to know if one particular file exists on the disk, it may be simpler.

As far as I know, opening the volume should be as hard as breaking the used encryption, unless ..
I haven't seen a formal proof of that. And unless somebody tried to give a formal proof, then it is likely there is some subtle weakness which has not yet been spotted.

Wouldn't that mean that the encryption used was weak in the first place?
Yes, but until a month ago TrueCrypt was really that weak. Can somebody provide a proof that it is no longer weak?

In any case, to me it seems that the main concern with all disk encryption is precisely theft of a disk
Yes, but there are a few additional concerns. What are the characteristics of the physical media. Could it for some reason leak a few informations about what was in some of the sectors at an earlier point in time. What about a disk that was stolen an soon recovered again?

Re:TrueCrypt for WIndows and Linux.

[fbjon]

Can somebody provide a proof that it is no longer weak?

Well, I certainly can't :), but I agree that it is needed before it can actually be taken seriously by serious people.

Could it for some reason leak a few informations about what was in some of the sectors at an earlier point in time.

That's a very valid concern for all those users in these comments who use Truecrypt on a flash drive, USB or otherwise. As I understand, the controllers for the flash chip try to minimise the usage per individual flash cell, so overwriting a file might not actually overwrite what you think you're overwriting. Even hard drives can leave trails, since sectors can be remapped to spare sectors at the end of the drive, when they start to go bad. Those old sectors that got remapped can usually not be accessed in any way after that. Wiping the area requires more than a simple software-wiper like Eraser. Those issues are for the most part out of Truecrypt's control, though one could overwrite all free space in the entire flash module after closing the volume.

I think what you're referring to, however, is if Truecrypt leaves trails in the volume file/partition itself. That would depend on how Truecrypt deletes files, if it wipes them, or just marks as deleted like a regular FAT32 FS. In any case, since the volume works like any other filesystem, I think wiping and erasing a file with an external tool using random data works just as well.

Re:TrueCrypt for WIndows and Linux.

[joaobranco]

The hidden and false implication: the NSA/FBI/etc can not write or fund Open Source software.

Of course they can... BUT with source code you can INSPECT and CHANGE the software, so that any foul play is harder than with "off the counter" software.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

The paper you link to is an interesting read on Tweakable Block Ciphers. But it mentions neither LRW mode nor disk encryption.

Re:TrueCrypt for WIndows and Linux.

[kasperd]

The proof of security applies to LRW-AES as well (because it is a tweakable cipher).
The proof applies to the cipher, not the mode. The way the cipher is used in TrueCrypt does not correspond to any of the modes in the paper you linked to. The paper also states that TAES is expected to be 50-80% slower than AES. Why not use AES in CBC mode? (Here I mean a correct implementation of CBC, not the one with a deterministic IV).

Re:TrueCrypt for WIndows and Linux.

[kasperd]

There are at least five types of severe attacks on correctly implemented CBC (one of which allows full recovery of secret plaintext without any knowledge of any part of the key).

I don't know why I should believe you. I have seen and verified the proof for security of CBC under the assumption that the cipher is indistinguishable from a random permutation. If that assumption does not hold, then tweakable ciphers does not work either. And even the incorrect implementations of CBC does not allow full recovery of an unknown plaintext.

Of course this is all assuming passive attacks. Neither CBC nor LRW is secure against active attacks. If you want security against an active attack, you need stuff like hash trees and message authentication codes.

You do your homework.

If you had done your homework you would have come across two articles on the subject which give different proofs why LRW cannot satisfy the strongest security definitions. They are both available on eprint.iacr.org one is written by Kristian Gjøsteen, and I'm coauthor on the other.

of course it helps...

[advocate_one]

if you remember to encrypt any partitions that temporary data might possibly reside on... cos it would be awfully silly to protect your home partition and forget /var or /tmp or the swap... why not be completely paranoid and encrypt the the volatile "partition" that gets created in memory

Re:of course it helps...

[BobNET]

I have no idea why these mechanisms are not enabled by default on these OSes (not even on OpenBSD!) as the overhead really isn't that noticble...

Swap is now encrypted by default in OpenBSD 3.8: http://marc.theaimsgroup.com/?l=openbsd-cvs&m=1111 85331505174&w=2

Re:*BSD?

[TheBogie]

It seems this AC has made a convincing argument for using XP as opposed to FreeBSD. Since I don't really know anything about FreeBSD, could some expert please offer a rebuttal of this AC's arguments? I know it seems like feeding the trolls, but I never see any real answer to any of these issues.

What a Load

[Some+guy+named+Chris]

From the summary: "Security-minded laptop users live in fear of theft"

Nice blanket generalization there. I'm security minded, use two laptops, and I don't live in fear. I mitigate risks. I use caution, but I don't live out my life in a state of fear, as your cliche ridden statement says.

Karma be damned, but I'm sick of people who use phrases without thinking what they actually mean.

Re:What a Load

[digitaldc]

"Karma be damned, but I'm sick of people who use phrases without thinking what they actually mean.

Karma can not be damned, it is only a state of being.

Re:What a Load

[Some+guy+named+Chris]

LOL

Re:What a Load

[Waffle+Iron]

I mitigate risks. I use caution

Yes, and why do you take those steps? Because you live in fear of the consequences that would happen if you didn't take them.

Re:What a Load

[Colin+Cordner]

From the summary: "Security-minded laptop users live in fear of theft"

Nice blanket generalization there. I'm security minded, use two laptops, and I don't live in fear.

I agree with the PP - I don't "live in fear" either. I live next door to fear, sure, and I may occasionally peep over the fence to throw a rock at it...

Re:What a Load

[angst_ridden_hipster]

I was wondering who was throwing those damn rocks.

Filevault

[Savage-Rabbit]

So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

OS.X ships with something called Filevaut, accessable from 'System Preferences'. Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it. This image gets mounted onto your Home directory when you log in and cannot be accessed unless you either know the login password or somehow manage to crack the encryption on the image file. This is useful for mobile professionals and the on the fly encryption works surprisingly well unless you are working with say, Photoshop files that weigh in in the hundreds of megabytes. For day to day stuff this works quite well. Just for example, I keep my iTunes collection on a filevault image and it does not seem to kill performance even with resource hogs like MS Word and Excel running.

If you only want a small secure area rather than encrypting the entire Home directory like you do with Filevault you can also create stand alone *.dmg images with the 'Disk Utility'. These have the same 128-bit AES encryption as Filevault. Fire up /Applications/Utilities/Disk Utility.app, select File->New->Blank Disk Image... Once created this can be accessed by double clicking it and feeding it the password.

Re:Filevault

[Anonymous+Bullard]

Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

Wonder why... ;-)

Re:Filevault

[keith_nt4]

All you need is the login password? Couldn't a bad guy just boot off the install CD, reset the password and login (and reset the keychain, god I hate that keychain)? Doesn't sound very secure to me.

Re:Filevault

[ImaLamer]

AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

Is that the same guide I read? I think it's title was: " For Our Eyes Only "

Re:Filevault

[Nogami_Saeko]

Uh, no.

The filevault key is hashed from the user's password. If you reset the login password and reset the keychain, it will do you no good as you still can't open the filevault container because you still don't know the original password that was used to generate the key.

The only way to bypass filevault is by setting a master encryption password on the computer, which will allow filevault recovery if you know that master password (also not possible to reset).

Re:Same as Linux's loop-aes?

[BokLM]

This appears to be the same as linux's cryptoloop (loop-aes, etc), or am I missing something?

Yes, it's similar.

It's nothing really special, until it's implemented so laptop users can easily set up an encrypted root filesystem and be able to boot into it easily.

It's aldready possible.

http://www.tldp.org/HOWTO/Encrypted-Root-Filesyste m-HOWTO/

paranoid android overlords

[ichigo+2.0]

I for one welcome our paranoid android overlords!

In Soviet Russia, paranoid of androids is you!

I'm a paranoid android, you insensitive clod!

Imagine a beowulf cluster of paranoid androids!

Yup, that was pretty awful.

This is already built-in to OSX

It's called FileVault. Just go to one's system preferences, select FileVault, set the password and bingo!

Re:This is already built-in to OSX

[Anomalyst]

Having everybody use the same "and bingo!" password does not seem very secure.
P.S. better complexity would be "and Bing0!".

Re:*BSD?

Actually... *BSD ain't so bad. I am sure this guy just pulled some sh*t out of his ass.
Here is some information about FreeBSD if you are interested.

Doesn't address unencrypted OS

I don't know about BSD, but with Windows there is always the danger that the OS itself or other programs are making copies of data and filenames and storing them in the registery, .ini files or a thousand other possible places which may not be encrypted. Encrypting the entire OS from boot on up seems like the only genuinely secure way to prevent this problem.

Re:Doesn't address unencrypted OS

[evanism]

Amen! Christ knows whats stored in your swap partition, c:\Docs and Settings, or even C:\WINDOWS\Prefetch... and elsewhere...

Re:Doesn't address unencrypted OS

[zyche]

OpenBSD by default encrypts the swap-partition. Read the paper by Nils Provos.

Re:Doesn't address unencrypted OS

[Shanep]

OpenBSD by default encrypts the swap-partition. Read the paper by Nils Provos.

Wow, I thought you were wrong about it being on by default, so I checked the CVS entries. I knew OpenBSD's swap encryption had very little impact on swapping performance, but it seems that this was switched on by default 9 months ago and I didn't even notice. I guess that shows how little impact it has.

Re:Same as Linux's loop-aes?

[croddy]

On Debian, setting up an encrypted root filesystem is not difficult at all. Install cryptsetup and have a look in /usr/share/doc/cryptsetup/CryptoRoot.HowTo -- with a Debian 2.6.12+ kernel and yaird it's practically automatic.

(...yeah, there was that nasty bug in yaird a couple of weeks ago but it's been marked 'done' :-)

Xandros Linux has automatic disk encryption

[Burz]

You can setup encryption for any homefolder in Xandros right from the user admin section of Control Ceenter. It uses keyfiles and supports the algorithms you listed plus about six others.

NetBSD at SCALE 4x

[irabinovitch]

NetBSD will be exhibit at SCALE 4x

sysctl = BSD; /proc = Linux

[Cadre]

Actually, no BSD's have /proc. BSD's use sysctl. Linux uses /proc.

Re:sysctl = BSD; /proc = Linux

[croddy]

sure they do.

Re:sysctl = BSD; /proc = Linux

[quantum+bit]

Can't speak for the others, but while FreeBSD does have a procfs, it's considered deprecated and its use is discouraged.

Windows

[gr8dude]

Under Windows, you can use Private Disk (AES 256-bit, with certification from NIST; use multiple encrypted drives simultaneously), it comes with a lot of features, my favourite one being 'Disk Firewall'. This is an application-level filter that doesn't exist in programs like TrueCrypt or BestCrypt, etc. This thing allows you to control which application can access the drive, while the others (i.e. viruses, spyware and other #^!#$^!ware) are rejected.
The program runs off removable drives too (there are certain particularities.. but once you know what you're doing, it works).

Private Disk [Light | Multifactor]

[gr8dude]

Try these

Private Disk (lots of features, highly customizeable)

Private Disk Multifactor (Comes with biometry and smart card authentication)

Private Disk Light (this is the free version)

I wrote about these tools in an earlier post. I am very satisfied with this thing, bought it for half the price - student discount :-)

Why is this being compared to loop-aes on Linux?

Reading the first few lines of the interview I get the impression it does almost the exactly the same stuff dm-crypt does, which has been in Linux stable for over a year now.
Have a look at http://luks.endorphin.org/
In my opinion, there has been some excellent work been done.

Hmm, Mr Anonymous Expert Cryptologist

[wurp]

It's possible you know about cryptography, but you don't seem to know much about networking... how exactly do we check your ip address?

That said, I don't know anything about CBC and I expect your point is 100% correct. It's just painful to see such a statement from someone purporting to inform me about computer related information.

I use loop-aes when I want an encrypted drive. Setting it up the first time sure is a pain, though.

Thinkpad's w/ TPM Security Chip offer this

[jonnykelly]

And other PC makers who offer Trusted Platform Module subsystems probably do as well. The IBM/Lenovo Client Security Solution works great. It's actually Utimaco Private Disk software.

In fact the real beauty of this solution is that it can be set up to replace the standard windows login with one which uses the TPM, and can then 'unlock' as much or as little of your other TPM secured data as you like. My only complaint is that the password manager doesn't work w/ Firefox/Thunderbird, so I can't have TRUE single sign-on. But if I were to just use IE, it would be.

How long has it been tested

[IntelliAdmin]

I have been burned many times in the past by development filesystems, and drivers. It sounds like a great idea, but I am going to wait quite some time before I trust my data with it.

SuSE

[Lord+Byron+II]

SuSE supports encrypted disks without the use of the commandline. Does anyone have any comment as to the security or the recoverability of the SuSE system?

Windows EFS

[charnov]

Windows has the Encrypted Filesystem built into NTFS.

http://www.microsoft.com/technet/prodtechnol/winxp pro/deploy/cryptfs.mspx

Re:Windows EFS

[Nogami_Saeko]

I have never used windows encryption, but I was under the impression that it's a file-level, rather than a disk-level encryption - so while you couldn't get the information back easily, you could view the file name, size, date and other attributes, as well as see the number of files encrypted.

Disk-level encryption, which protects the entire drive until the key is entered is far more secure - you can't even prove there is anythign at all on the disk, or if it's just randomized bits generated from a secure wipe.

Re:Windows EFS

[charnov]

It's integrated into AD and local permissions meaning that an enterprise admin could revoke or grant priviledges on the fly which is a really big deal in an infrastructure environment. Also, it is a key cert style encryption so you can always back up the decrypt key or use a central key server. I have never tried to use it to hide a volume for plausible deniability, but I don't think it was designed with that in mind.

dm-crypt?

[Gadzinka]

It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.

If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:

• it allows to use encryption algorithms in CBC mode;
• uses published linux kernel crypto API, which means that you can use any cipher known by kernel;
• because of the above, if kernel has hardware support for some crypto algo, dm-crypt uses it automagically: I have a very low power VIA Epia MicroITX board (soon to be replaced by even lower power Nano ITX board by Epia) serving as my home fileserver. The processor, VIA Nehemiah is disgustingly slow at it's 800MHz, but it has VIA Padlock crypt engine doing AES in hardware -- access speed on encrypted AES256-CBC partition is indistinguishable from the speed on the same non-encrypted disk, and a lot higher than on my Pentium M 1.6GHz notebook with Blowfish (i.e. the fastest-yet-quite-safe) dm-crypt partition.
• because it uses Crypto API, you can use any new safer or faster algo, whether it's done in software or hardware, as soon as there is crypto api driver for it (crypto using GPU anyone? ;)
• with existing cryptsetup tool you can create encrypted swap partition with random key taken from /dev/random; and since some platforms (e.g. VIA Epia, but also chipsets from Intel, AMD and others) have true hardware random generators with Linux drivers, I wish a lot of luck to someone trying to recover passwords from my swap device ;)
• while existing key generation method is not as kosher as described PKCS#5 PBKDF2 or multifactor solutions, cryptsetup is just a userspace tool controlling kernel space diskmapper virtual disk engine; you can write your own tool and initialize your dm-crypt partitions any way you want;

OK, I'm tired, go read the links and you'll be much wiser and better informed than after reading TFA ;)

Robert

Re:dm-crypt?

[bani]

The major difference between dm-crypt and loop-aes is that loop-aes has optimized assembler. My tests between dm-crypt and loop-aes showed that dm-crypt was more than 3 times slower.

With loop-aes, my drive is the bottleneck. With dm-crypt, dm-crypt is the bottleneck.

Re:dm-crypt?

[Gadzinka]

Ever tried the aes-i586.ko kernel module instead of default aes.ko?

Robert

Re:dm-crypt?

[bani]

well no since i was using x86_64

and there wasnt an x86_64 asm implementation when i tested in 2004. maybe everything has been fixed by now though. it wasnt an option then.

Re:dm-crypt?

[Gadzinka]

[0:26] [rrw@laptok:/home/users/rrw]
0% cd /usr/src/linux/arch/x86_64/crypto
 
[1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
0% ll
total 24
-rw-rw-rw- 1 root root 8388 Oct 28 02:02 aes.c
-rw-rw-rw- 1 root root 4671 Oct 28 02:02 aes-x86_64-asm.S
-rw-rw-rw- 1 root root 159 Oct 28 02:02 Makefile
 
[1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
0% uname -a
Linux laptok 2.6.14 #2 PREEMPT Sat Dec 24 22:04:04 CET 2005 i686 GNU/Linux

Robert

Re:dm-crypt?

[Cronopios]

It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.

If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:[...]

There is a dm-crypt tutorial on Linux Journal: Encrypt Your Root Filesystem.

It was also published in Spanish by the magazine Mundo Linux.

Re:*BSD?

[ettlz]

This has all the hallmarks of a known troll. In fact, it has appeared as this post before. Silly person with nothing better to do.

GBDE

[kasperd]

He seems to have a relevant worry about the lack of atomicity when writing to a GBDE encrypted device. However he fails to notice that this happens only because GBDE has addressed a problem which every other disk encryption seems to have ignored. You get certain security advantages from probabilistic encryption. But probabilistic encryption implies the encrypted version must be slightly larger than the clear text.

More than once has the use of deterministic encryptions lead to weaknesses in disk encryptions. And often the workarounds require additional CPU power. And even the most careful deterministic encryption can never be as secure as a probabilistic encryption.

GBDE does have probabilistic encryption. This also means that obviously an update requires more than one physical write. Though this could be done securely, the way it is done in GBDE seems to give a risk of data loss/corruption. Some kind of journaling could have solved the problem. Having journaling both in the encryption and in the file system seems to be overkill (and clearly hurts performance), but integrating the two without compromising security is nontrivial. I'd like to see some more research in this area.

From my description it may sound like from a cryptographic viewpoint GBDE is the best designed disk encryption in existence. Unfortunately it isn't so. It did get some things right, but it seems to be mostly by luck. GBDE uses different pseudo random keys for each sector, however rather than using a standard PRNG, PHK decided to invent his own known as the Cherry Picker. Unfortunately there is a weakness in this generator as the output is not uniformly random.

To the best of my knowledge GBDE is currently the only disk encryption making use of probabilistic encryption, and none of the disk encryptions in existence make a serious effort at guaranteeing integrity (also known as security against an active adversary).

Re:GBDE

[kasperd]

but if you are going to do that then you have the responsibility of maintaining a proper transaction log.
That is just one possible solution. There are simpler ways to solve the problem, for example you could just mirror the shared sector. You'd need to add a bit of redundancy to find which one is correct. So you might end up with only 31 logical sectors rather than 32 for each 33 physical sectors. But at least you preserve locality.

If you do not do this, then at the end of the day your pseudo-disk isn't actually ``a disk'' since it breaks the atomicity requirements the higher level fs code, DBs, etc. assume that disks present.
What are the exact gurantees that disks give you? What requirements does the higher levels have? Atomicity is a pretty strong property. Does disks really give you this? Having random garbage in the sector being written the very moment power was turned off sounds more likely. Maybe that is not acceptable, but then a harddisk can do some "magic" internally to give better guarantees than what you get from the physical media.

Of course a disk encryption not paying attention to this will give something worse to the higher layer than what it was given by the lower layer. But OTOH with some redundancy and integrity checking, you can go from a single corrupted sector to an atomicity guarantee. A disk encryption doing this could provide better guarantees to the higher layers.

The big question is, how do we do this in a way that is I/O efficient and using as little space as possible?

stop being lazy/stupid

[hyperbotfly]

Learn the CLI....It is SO worth it!

Re:BSD IS DEAD

[pupeno]

The good thing is that free software never really dies. It may be frozen but it is still there for everyone and if someone wants to pick it, (s)he is free to do so.

Crypto-Graphic?

[1u3hr]

Okay, I RTFA, and still don't see why there is a hyphen in "crypto-graphic" here. I thought perhaps it was some cute way to use a graphics card to do the the encoding, but I think it's (don't laugh) a typo. Please correct me if I'm wrong.

Re:Crypto-Graphic?

[someone1234]

Because it's main usage is to hide (crypto) porn (graphic).

Important Fact: TrueCrypt is Open Source!!!

[Futurepower(R)]

I've only just begun using TrueCrypt, but my experience, also, is that it just works, also. I like making and maintaining a container, which can be moved to a thumb (flash memory) drive for traveling.

I like the command line options of TrueCrypt.

Most importantly:

1) Reading the web site and documentation gives me the impression the developers know what they are doing. I like it that, in the comments above, the developers are criticized for an incorrect statement about block chaining, and the error was corrected immediately.

When I read the web sites and documentation of commercial encryption products, so much is written by bored marketing people that I fear that the company is controlled by someone who majored in English Literature. (Nothing against majoring in Eng. Lit., but such people should not have control over products that require advanced understanding of technology.)

2) To me, it is absolutely necessary that any encryption software I use be Open Source. I fear that a rogue employee or a an owner of a commercial encryption software company would put in a back door, or would introduce a weakness.

The U.S. government has decided that it can secretly force companies to help in surveillance. This means that commercial companies cannot be trusted. (The drawbacks of secret action are called "Blowback" by some in the U.S. government. Blowback is not seen as a bad thing, because if decreases the political stability in the world, which means that employees of U.S. government secret agencies will get raises and promotions.)

For conventional encryption, like sending encrypted files automatically to a private FTP site for safe offline storage, I use Gnu Privacy Guard. Also Open Source, of course.

A Slashdot editor could check his IP address.

[Futurepower(R)]

"... how exactly do we check your ip address?"

When I read that, I assumed he meant that a Slashdot editor could check his IP address.

I know that Slashdot editors sometimes read the stories they post, because, when I criticize the Bush administration, sometimes I am moderated down multiple points, without the moderation appearing in the karma points summary at the end of the comment. In the middle of the night, while Slashdot editors are presumably sleeping, people in other countries moderate the comment to +5. The comment is then bulk moderated down when it is morning in the United States. Just guessing, but it is plausible.

This comment may seem a little off topic, other than being an answer to an on topic thread, but it is relevant because encryption like that provided by TrueCrypt is more necessary in times of political instability and government corruption.

for a growing userbase

This is one example of how a F/OSS _becomes_ more popular. Don't count a runner out of a race which never ends.

Crosscrypt for Windows Users. GPL too

[tezza]

I've used this A LOT.

Cross Crypt - Open Source AES and TwoFish Linux compatible on the fly encryption for Windows XP and Windows 2000.

It uses the excellent Filedisk to appear as a volume in Explorer.

It's GPL, sorry to restate that, but I dunno if you read the headline fully or not.

Apple's FileVault

[l0ungeb0y]

Hey -- I'm no crypto, OS or FS guru, how does this compare/differ from Apple's FileFault which provides on the fly encrypt/decrypt of user files? Being an Apple user, I have yet to use the FileVault utility, but it does look enticing, just that encrypting files on my workstation doesn't seem worth the *anticipated* performance hit.

Perhaps this might be yet another *BSD project that Apple could benefit from ala Konqueror. Or not.

Is that you being especially nice?

[Futurepower(R)]

"... you are probably just another liar."

Ahhh, the civilized and polite interaction for which Slashdot is famous.

Re:*BSD?

[anothy]

the parent is a troll and an idiot, but you seem to be genuinely asking, so i'll take the time to answer.

GUI quality: The troll gives no indication of what or how he's measuring. it's difficult to deny that MS's GUIs are more polished, but there are numerous inconstancies. GUIs available on unix systems, including FreeBSD, tend to be more configurable. i'm inclined to agree that traditional X11-based GUIs are behind that of Windows, but that's a far cry from FreeBSD not having one, as the troll claims. also, OS X is widely agreed to be easier to use than Windows' and is unquestionably more technically advanced (we'll see what Vista brings).
Support: The troll's claims that Microsoft is "the world's most trusted software company" is simply laughable. major failures in security and stability in Microsoft products are legendary; their reputation for quality is thoroughly mediocre. they are, however, quite large and do stand behind their products (such as they are) for defined periods of time, which has a certain level of comfort associated with it. FreeBSD, on the other hand, has much higher initial quality and also has commercial support available from various sources. the open source nature of FreeBSD and the vibrant community existing around it also means particularly obscure problems are more addressable than they are in Windows, where you're left waiting for Microsoft to release a patch. again, there are trade offs to be made, but i think FreeBSD is a clear winner here.
Cost and convenience: It is undeniable that having the system pre-installed is a huge win for convenience. but the troll goes way off-track from there. first, XP is available pre-installed, but for how many architectures, maybe two (x86 and itanium)? FreeBSD is available on about a half dozen (NetBSD, incidentally, is available on dozens); this is particularly important in the sever and appliance realms, which are FreeBSD's primary target spaces. FreeBSD is available pre-installed at least on server equipment (i don't know of anyone who does workstations/laptops). the troll claims that XP is free, which is flatly false: the cost is bundled in the cost of the hardware. the troll is also implicitly defining terms like "every major manufacturer" to be only ones he cares about: get me an XP system from Sun or Apple, for example.
Stability/scalability:Again, the troll gives no measurements. at a minimum, XP has a reputation for being unreliable. in my experience at work, XP is a step down in stability and reliability from 2000, although both of these are still leaps ahead of any Microsoft system predating that (except probably DOS, which was highly stable by virtue of being so tremendously simple). DoS-style attacks which bring down the system remain common against XP and virtually unheard of against FreeBSD. FreeBSD is highly stable. the standard edition of XP also scales to 2 processors; special versions are available to get it up to higher number, but still pretty modest number of processors (i think it was 16, but i don't remember). i'm not sure specifically what SMP problems the troll is talking about (again, no specifics), but i've personally run FreeBSD on dual-processor SMB systems without issue and other BSDs on systems much, much larger than any Microsoft product has any hope of touching. for reference, note that BSD-based systems hold many places in the Top 500 supercomputer list, including several in the top 20; Windows can't hope to touch that level of performance.
Software availability: No, troll, not everyone uses it. but yes, it does have more software. for that reason, when i was Director of IT for our company, we continued to by Windows boxes; our accounting package wasn't available on any other platform. but this very much depends what you need. FreeBSD certainly runs a far cry more than vi. most things that'll run on other open-source systems like Linux,

Won't Full Disc Encryption make this obsolete?

[Scott_Marks]

Seagate has announced a laptop disk that does full disc encryption in hardware, without slowing down disc I/O at all. Seems like that makes software solutions (which are subject to reverse engineering, etc.) decidedly inferior.

Re:Won't Full Disc Encryption make this obsolete?

[setagllib]

Sure, except that cgd works on memory block devices (useless) and file-backed block devices (pretty useful). And on any disk. And on any platform. And on USB bars and floppy diskettes.

Nice to hear Seagate is offering a specialty product, but you can have much more versatile encryption for free, and it's easier to administer. How would the Seagate drive get its password? Would you type it in while booting? Or have to use a Windows-specific driver? Or would it memorise it, completely defeating the point of encryption?

Performance isn't everything. 'Slow' doesn't mean 'decidedly inferior'. By that token you may as well take a plane to work instead of driving a car.

Re:Same as Linux's loop-aes?

[Aurix]

errr, he didn't actually compare it to cryptoloop or loop-aes. He only mentioned it.

Perhaps you should RTFA.

Same to you, I'm sure.

[jcr]

I guess you missed the part where he said he used Disk Utility. PGP Disk wasn't mentioned. Who's stupid now?

-jcr

Re:Bestcrypt offers similar features

[Tetch]

> Bestcrypt is probably only solution supporting Linux AND Windows

Wrong - as mentioned by several other posters there is an excellent free open-source encrypted drive product available for Windows - Truecrypt, http://www.truecrypt.org/ - which now has a Linux version available (since V4.0), offering the ability to access the same encrypted drive from both environments.

Forget Bestcrypt.

RTFA

[noz]

Wow, it's my first time telling someone to read the article before asking questions. The first section of the first link says (and I quote):

13.1.1. Why use disk encryption?

File-oriented encryption tools like GnuPG are great for encrypting individual files, which can then be sent across untrusted networks as well as stored encrypted on disk. But sometimes they can be inconvenient, because the file must be decrypted each time it is to be used; this is especially cumbersome when you have a large collection of files to protect. Any time a security tool is cumbersome to use, there's a chance you'll forget to use it properly, leaving the files unprotected for the sake of convenience.

Worse, readable copies of the encrypted contents might still exist on the hard disk. Even if you overwrite these files (using rm -P) before unlinking them, your application software might make temporary copies you don't know about, or have been paged to swapspace - and even your hard disk might have silently remapped failing sectors with data still in them.

The solution is to simply never write the information unencrypted to the hard disk. Rather than taking a file-oriented approach to encryption, consider a block-oriented approach - a virtual hard disk, that looks just like a normal hard disk with normal filesystems, but which encrypts and decrypts each block on the way to and from the real disk.

Many good reasons.

Re:RTFA

[iNetRunner]

Also there is the risk of keyloggers when using encrypted files/filesystems from your regular OS (tough Windows mainly, I guess..).

aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Thanks to the poster above who pointed this out to me...

I am using dm-crypt on top of a level 5, 3 disk SATA raid.

The system just used a normal aes.ko module so I decided to try the aes-i586.ko module (the server is a Athlon XP 2400+ with 512 MB RAM).

Here are my results:

Control Read test file (non-crypted)...

1) 0.01user 1.43system 0:17.99elapsed 8%CPU
2) 0.03user 1.43system 0:18.07elapsed 8%CPU
3) 0.03user 1.43system 0:17.94elapsed 8%CPU

AES
===

Write test file....

1) 0.05user 4.99system 0:53.26elapsed 9%CPU
2) 0.05user 4.88system 0:52.85elapsed 9%CPU
3) 0.06user 4.87system 0:50.14elapsed 9%CPU

Read test file....

1) 0.03user 2.00system 0:36.44elapsed 5%CPU
2) 0.03user 1.97system 0:36.99elapsed 5%CPU
3) 0.03user 1.94system 0:35.55elapsed 5%CPU

AES-i586
========

Write test file....

1) 0.06user 4.65system 0:42.12elapsed 11%CPU
2) 0.03user 4.90system 0:40.38elapsed 12%CPU
3) 0.04user 4.77system 0:42.02elapsed 11%CPU

Read test file....

1) 0.03user 1.87system 0:22.22elapsed 8%CPU
2) 0.04user 1.91system 0:21.80elapsed 8%CPU
3) 0.02user 1.90system 0:22.00elapsed 8%CPU

As you can see the results with aes-i586 are significantly better :) The write operations took a lot of CPU cycles in kjournald (I'm using ext3 so you may get better speeds with other filesystems).

Does anyone know of any reason not to use aes-i586.ko?? I assume they are exactly equiv?

Anyways, I've added the line:
  alias aes aes-i586
to my modprobe.conf.

Cheers for the advice.

Re:aes.ko Vs. aes-i586.ko: stats...

[Gadzinka]

Does anyone know of any reason not to use aes-i586.ko?? I assume they are exactly equiv?

Yeah, it is only for 586 or better CPU. I believe that even today some people use x86 processor compatible only with 386 or 486. Geode? Other embedded x86? I'm not sure.

Robert

Re:aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Cool. I know my Athlon is 100% i586 compatible.... I know what you mean re: modern x86 processors not being fully i586 compatible. My little VIA M10000 MiniITX board springs immediately to mind as an example.

Re:aes.ko Vs. aes-i586.ko: stats...

[Gadzinka]

[...]not being fully i586 compatible. My little VIA M10000 MiniITX board springs immediately to mind as an example.

Well, I don't think so, VIA processors are rather compatible with i586. Slow as hell, but compatible. Quoting after cute page about some aspects of VIA processors, x86 processors are identified by family/model/stepping (F/M/S) triplet. My VIA Nehemiah processor identifies itself as 6/9/8, and family=6 means "i686 compatible" (i.e. compatible with original Pentium Pro instruction set).

Besides, if you have VIA 6/9/8 processor or higher (e.g. 6/10/0), you don't have to use aes-i586. Use "padlock" driver, which uses hardware AES engine on these processors, at least an order of magnitude faster than aes-i586, just as I wrote several levels higher, starting this thread ;)

Look up your F/M/S in /proc/cpuinfo.

Robert

Re:aes.ko Vs. aes-i586.ko: stats...

[colin_s_guthrie]

Yeah, naturally the h/w encryption/random num. gen. on the VIA Nehemiah will be faster for doing that. I don't actually use it with any sort of encryption anyway (it's a network boot frontend for MythTV) and so uses plain old NFS (I trust my network, but keep all my media on an encrypted partion (the vast majority of it is morally legal - copies of my own CDs/records/DVDs etc., and recordings of TV etc. but I want to be able to prove a point should anyone come snooping :)

That said, I was wrong when I said that the Nehemiah was not i586 compatible, it is. It is not however i686 compatible. It does report that it is, but I believe from previous experience that there are a couple of instructions it doesn't support, and various VIA forums etc. support this (though I could be miss informed). I do know that it will not boot with a stock pre-compiled kernel from Mandriva for the last few versions as these are compiled for i686. You have to use the i586 kernel which is explicitly compiled for i586 processors for it to work.

Actually come to think of it, it may not be the 10k Nehemiah that doesn't work, but one of the slower, 600MHz versions.... I can't fully remember just now.

Anyways, this has gone a little off topic now, so it's probably enough nonsense from me :)

Huh? Which "just written" BSD software?

[Some+Random+Username]

Cgd is several years old, its not new at all.

Is this kind of thing portable?

[WoTG]

Would this be easily ported to other BSDs, Linux, or even Windows?