Forgot your password?
typodupeerror

NetBSD's Crypto-Graphic Disk 219

Posted by CmdrTaco
from the can-you-crack-me-now dept.
An anonymous reader writes "Security-minded laptop users live in fear of theft, not only of their computer but also of their precious secret data. NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem. Recently its author, Roland Dowdeswell, was interviewed and provided a lot of details, and made a comparison with Linux's Loop-AES, FreeBSD's GBDE, OpenBSD's svnd. This is a must-read for any laptop owner (and paranoid androids)!"
This discussion has been archived. No new comments can be posted.

NetBSD's Crypto-Graphic Disk

Comments Filter:
  • So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.
    • by cmdrbuzz (681767)
      If you are using Mac OS X then you have disk image encryption built in.

      See FileVault [apple.com] for the automagic encrypted home directory

      or see hdid [apple.com] for the command-line version of disk utility.

    • by pepdar (552449) on Wednesday December 28, 2005 @09:43AM (#14351382)
      Mac OS X is a *nix OS.
      It also features an encrypted file system, FileVault [apple.com].
      • Mac OS X is a *nix OS.

        No, Mac OS X is a BSD. There's a difference.
        • by thebdj (768618) on Wednesday December 28, 2005 @10:23AM (#14351549) Journal
          Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

          In reality, it is probably still safe to call it a *nix, only the BSD zealots would like us to separate it into a "BSD", which is about as anal as separating the Linux distributions into different groups.

          BTW, your original post compared it to *nix operating systems and complained about OSX. The Article refers to this about NetBSD, therefore making your statements a bit mixed.

          The folks over at Wikipedia seem to agree with us on this one [wikipedia.org].
          • Moreso than Linux. BSD is based on the original AT&T source code, although it was mostly rewritten over the years.
          • Actually, BSD is a unix derivative just like Linux. Both have their separation from Unix and neither is Unix.

            Actually GNU's Not Unix. It is a system which behaves in the same, compatible way, not a derivate. Linux is a kernel.
    • by tamnir (230394) on Wednesday December 28, 2005 @09:54AM (#14351427)
      That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt [truecrypt.org]. Not only is it open source and cross platform (Windows/Linux), but it also happens to simply rock, surpassing many commercial products, with lots of nice features like the use of keyfiles, or for the true paranoid, cascade encryption (like AES-Blowfish-TripleDES) and plausible deniability (hidden volume).
      • You can setup encryption for any homefolder in Xandros right from the user admin section of Control Ceenter. It uses keyfiles and supports the algorithms you listed plus about six others.
      • That is exactly why my prefered solution for on-the-fly hard disk encryption is TrueCrypt.

        TrueCrypt is vulnerable to watermarking attacks. Some time ago I created a watermarked file [kasperd.net] to demonstrate this weakness. If you put this file on a file system encrypted with TrueCrypt, some easily recognizable patterns will show up in the encrypted container. You simply take each pair of neighbor sectors in the encryption and XOR them with each other. When you reach the place where this file is located, the result
        • TrueCrypt is vulnerable to watermarking attacks.

          I took a look through the list of new features in TrueCrypt 4.1, and apparently it has been improved to avoid watermarking attacks. So my previous comment only applies to volumes created with TrueCrypt 4.0 and earlier. I have not looked through the documentation and source to verify how secure the new mode is.
      • Of course, they didn't bother to write a program to create a TrueCrypt volume under Linux, so for right now this program is utterly useless.
    • Filevault (Score:4, Informative)

      by Savage-Rabbit (308260) on Wednesday December 28, 2005 @10:03AM (#14351465)
      So the CGD disk is an encrypted pseudo disk driver. It sits on top of another partition and acts as a new virtual disk to the rest of the operating system. But what of those of us that have to use windows, or Mac OS X? This seems like it's only compatible with *nix OSes.

      OS.X ships with something called Filevaut, accessable from 'System Preferences'. Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it. This image gets mounted onto your Home directory when you log in and cannot be accessed unless you either know the login password or somehow manage to crack the encryption on the image file. This is useful for mobile professionals and the on the fly encryption works surprisingly well unless you are working with say, Photoshop files that weigh in in the hundreds of megabytes. For day to day stuff this works quite well. Just for example, I keep my iTunes collection on a filevault image and it does not seem to kill performance even with resource hogs like MS Word and Excel running.

      If you only want a small secure area rather than encrypting the entire Home directory like you do with Filevault you can also create stand alone *.dmg images with the 'Disk Utility'. These have the same 128-bit AES encryption as Filevault. Fire up /Applications/Utilities/Disk Utility.app, select File->New->Blank Disk Image... Once created this can be accessed by double clicking it and feeding it the password.
      • Filevault migrates your home directory onto an encrypted image using a 128-bit AES key which, AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

        Wonder why... ;-)

      • AFAIK is pretty secure, at least the NSA sponsored OS.X security guide I read recently recommended using it.

        Is that the same guide I read? I think it's title was: " For Our Eyes Only "
    • Windows has the Encrypted Filesystem built into NTFS.

      http://www.microsoft.com/technet/prodtechnol/winxp pro/deploy/cryptfs.mspx [microsoft.com]
      • I have never used windows encryption, but I was under the impression that it's a file-level, rather than a disk-level encryption - so while you couldn't get the information back easily, you could view the file name, size, date and other attributes, as well as see the number of files encrypted.

        Disk-level encryption, which protects the entire drive until the key is entered is far more secure - you can't even prove there is anythign at all on the disk, or if it's just randomized bits generated from a secure wi
        • It's integrated into AD and local permissions meaning that an enterprise admin could revoke or grant priviledges on the fly which is a really big deal in an infrastructure environment. Also, it is a key cert style encryption so you can always back up the decrypt key or use a central key server. I have never tried to use it to hide a volume for plausible deniability, but I don't think it was designed with that in mind.
  • by fionbio (799217) on Wednesday December 28, 2005 @09:35AM (#14351346)
    Why do you think that Marvin's brain was running NetBSD? Otherwise, what use could he make of a laptop, with his "brain the size of a planet" ?
  • by Ffakr (468921) on Wednesday December 28, 2005 @09:40AM (#14351367) Homepage
    This is interesting and all, but this isn't exactly a ground-breaking news item.
    PGP lets you do this on various platforms.
    As a matter of fact, this is how I manage personal info on my OS X Macintosh. I create an strong-encrypted virtual disk image with banking, internet login, software key, and (un)related information. When I need something I mount it and when I'm done I umount it and it's nice and safe (as long as I never tell Keychain to remember the password).
    You can do this on a vanilla OS X install with Disk Utility.

    ffakr
  • questions to ponder (Score:5, Interesting)

    by digitaldc (879047) * on Wednesday December 28, 2005 @09:43AM (#14351379)
    What happens if cdgconfig file is lost or damaged?
    If you lose the cdgconfig file, is your data irrecoverable?
    When it overwrites data, is it truly unreadable?
    How taxing is this system, how long does it take to execute?
    What happens when you lose your PW?
    Are there knowledgable people in the same continent that can provide support for this?
    • Simple answer really... You lose your data, that's why the interview tells you to back it all up.
    • What happens if cdgconfig file is lost or damaged? If you lose the cdgconfig file, is your data irrecoverable? When it overwrites data, is it truly unreadable? How taxing is this system, how long does it take to execute? What happens when you lose your PW? Are there knowledgable people in the same continent that can provide support for this?

      If you loose your config, I guess (I don't know) that you easily can make a new config file. It'd be no problems to store the config on a set of superblocks on the vo

  • NetBSD's CGD project is a cryptographic virtual disk that can protect sensitive data while acting like a normal filesystem.

    If it acts like a normal filesystem, that means that nothing special needs to be done to access it, provided you have an account with rights to use that filesystem (I'm assuming it needn't be root). So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

    In retrospect, most BSD users probably don't keep their passwords on a stick

    • So what if the person stealing your laptop gets a hold of your password? How does it become any more secure?

      You mean, if I tell everybody my password, then it's no more secure ? Really ? Are you sure ?
      I've been doing that for years, you scare me !
    • I don't know how GCD in particular works, but with Unix disk encryption, the designers typically allow for the entire filesystem to be encrypted from root (/) on down. In this case, you are asked for a passphrase by the kernel or some utility before the relevant parts of your disk are "unlocked." System accounts don't even enter into it since /etc could very well (and probably should) be encrypted on a sensitive machine. The attacker can know your user password, root password, and the blood type of your fir
  • by Futurepower(R) (558542) <MJennings.USA@NOT_any_of_THISgmail.com> on Wednesday December 28, 2005 @09:44AM (#14351388) Homepage
    TrueCrypt [truecrypt.org] is disk encryption software for Windows XP/2000/2003 and Linux. Version 4.1 was released last month. It seems to have been designed by people who are VERY serious about encryption. For example, TrueCrypt "provides two levels of plausible deniability".
    • by jbarr (2233) on Wednesday December 28, 2005 @10:54AM (#14351721) Homepage
      I agree 100%. TrueCrypt lets you manage not only entire encrypted disks, but smaller, user-definable "container" volumes as well. These are all mounted as virtual drives, and are seamless to use. TrueCrypt works especially well with Thumb Drives.

      One thing I really like about TrueCrypt is that it just works. I have tried several commercial options and several that come with Thumb Drives, and they tend to be either too cutsey or kludgy to use. In almost all cases, they are cumbersome and just have an "unstable" feel about them. TrueCrypt is solid, quick, and also importantly, doesn't require any installation other than copying a couple files and launching the app. (It does come with an installer, but it isn't necessary.)

      Have a read of their FAQ [truecrypt.org] and and you will see that a LOT of thought and effort has gone into this application. [truecrypt.org]
      • I've only just begun using TrueCrypt, but my experience, also, is that it just works, also. I like making and maintaining a container, which can be moved to a thumb (flash memory) drive for traveling.

        I like the command line options of TrueCrypt.

        Most importantly:

        1) Reading the web site and documentation gives me the impression the developers know what they are doing. I like it that, in the comments above, the developers are criticized for an incorrect statement about block chaining, and the error wa
    • by trifish (826353) on Wednesday December 28, 2005 @11:23AM (#14351876)
      You forgot to write a very important thing:

      TrueCrypt is open source and free (as in freedom and beer).
    • I use TrueCrypt, and it's great on a USB stick, but it does not provide encryption of the boot volume, which can be quite important (especially in Windows).
      • The FAQ includes a method to encrypt the boot volume on Windows.
        • Making a boot CD to run the OS is hardly a workable alternative. And the Windows SAM and registry would still be unencrypted, just on the CD, which will always be near the laptop.

          My point is there are quite a few commercial products that do full-disk encryption, and Vista will include it as well. I presume they do this with code loaded from the MBR. Most can even encrypt an existing disk.

          Full-disk encryption would be a killer feature, and make TrueCrypt much easier to use for the average business traveller.
  • by advocate_one (662832) on Wednesday December 28, 2005 @09:45AM (#14351391)
    if you remember to encrypt any partitions that temporary data might possibly reside on... cos it would be awfully silly to protect your home partition and forget /var or /tmp or the swap... why not be completely paranoid and encrypt the the volatile "partition" that gets created in memory
  • What a Load (Score:5, Insightful)

    by Some guy named Chris (9720) on Wednesday December 28, 2005 @09:50AM (#14351411) Journal

    From the summary: "Security-minded laptop users live in fear of theft"

    Nice blanket generalization there. I'm security minded, use two laptops, and I don't live in fear. I mitigate risks. I use caution, but I don't live out my life in a state of fear, as your cliche ridden statement says.

    Karma be damned, but I'm sick of people who use phrases without thinking what they actually mean.

  • NetBSD at SCALE 4x (Score:2, Interesting)

    by irabinovitch (614425)
    NetBSD will be exhibit at SCALE 4x [socallinuxexpo.org]
  • by Anonymous Coward
    Reading the first few lines of the interview I get the impression it does almost the exactly the same stuff dm-crypt does, which has been in Linux stable for over a year now.
    Have a look at http://luks.endorphin.org/ [endorphin.org]
    In my opinion, there has been some excellent work been done.
  • SuSE supports encrypted disks without the use of the commandline. Does anyone have any comment as to the security or the recoverability of the SuSE system?
  • dm-crypt? (Score:5, Informative)

    by Gadzinka (256729) <rrw@hell.pl> on Wednesday December 28, 2005 @01:27PM (#14352695) Journal

    It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt [saout.de].


    If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:

    • it allows to use encryption algorithms in CBC mode [wikipedia.org];
    • uses published linux kernel crypto API, which means that you can use any cipher known by kernel;
    • because of the above, if kernel has hardware support for some crypto algo, dm-crypt uses it automagically: I have a very low power VIA Epia MicroITX board (soon to be replaced by even lower power Nano ITX board by Epia) serving as my home fileserver. The processor, VIA Nehemiah is disgustingly slow at it's 800MHz, but it has VIA Padlock crypt engine doing AES in hardware -- access speed on encrypted AES256-CBC partition is indistinguishable from the speed on the same non-encrypted disk, and a lot higher than on my Pentium M 1.6GHz notebook with Blowfish (i.e. the fastest-yet-quite-safe) dm-crypt partition.
    • because it uses Crypto API, you can use any new safer or faster algo, whether it's done in software or hardware, as soon as there is crypto api driver for it (crypto using GPU anyone? ;)
    • with existing cryptsetup tool you can create encrypted swap partition with random key taken from /dev/random; and since some platforms (e.g. VIA Epia, but also chipsets from Intel, AMD and others) have true hardware random generators with Linux drivers, I wish a lot of luck to someone trying to recover passwords from my swap device ;)
    • while existing key generation method is not as kosher as described PKCS#5 PBKDF2 or multifactor solutions, cryptsetup is just a userspace tool controlling kernel space diskmapper virtual disk engine; you can write your own tool and initialize your dm-crypt partitions any way you want [linux.com];

    OK, I'm tired, go read the links and you'll be much wiser and better informed than after reading TFA ;)

    Robert

    • The major difference between dm-crypt and loop-aes is that loop-aes has optimized assembler. My tests between dm-crypt and loop-aes showed that dm-crypt was more than 3 times slower.

      With loop-aes, my drive is the bottleneck. With dm-crypt, dm-crypt is the bottleneck.
      • Ever tried the aes-i586.ko kernel module instead of default aes.ko?

        Robert
        • well no since i was using x86_64

          and there wasnt an x86_64 asm implementation when i tested in 2004. maybe everything has been fixed by now though. it wasnt an option then.
          • [0:26] [rrw@laptok:/home/users/rrw]
            0% cd /usr/src/linux/arch/x86_64/crypto

            [1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
            0% ll
            total 24
            -rw-rw-rw- 1 root root 8388 Oct 28 02:02 aes.c
            -rw-rw-rw- 1 root root 4671 Oct 28 02:02 aes-x86_64-asm.S
            -rw-rw-rw- 1 root root 159 Oct 28 02:02 Makefile

            [1:06] [rrw@laptok:/usr/src/linux/arch/x86_64/crypto]
            0% uname -a
            Linux laptok 2.6.14 #2 PREEMPT Sat Dec 24 22:04:04 CET 2005 i686 GNU/Linux

            Robert

        • Thanks to the poster above who pointed this out to me...

          I am using dm-crypt on top of a level 5, 3 disk SATA raid.

          The system just used a normal aes.ko module so I decided to try the aes-i586.ko module (the server is a Athlon XP 2400+ with 512 MB RAM).

          Here are my results:

          Control Read test file (non-crypted)...

          1) 0.01user 1.43system 0:17.99elapsed 8%CPU
          2) 0.03user 1.43system 0:18.07elapsed 8%CPU
          3) 0.03user 1.43system 0:17.94elapsed 8%CPU

          AES
          ===

          Write test file....

          1) 0.05user 4.99system 0:53.26elapsed 9%CPU
          2) 0.
          • Does anyone know of any reason not to use aes-i586.ko?? I assume they are exactly equiv?

            Yeah, it is only for 586 or better CPU. I believe that even today some people use x86 processor compatible only with 386 or 486. Geode? Other embedded x86? I'm not sure.

            Robert
    • It's interesting to see xxxBSD user/developer comparing "just written" software for BSD with ancient versions of Linux counterparts and (surprisingly) finding xxxBSD version to be better. My point being: dm-crypt.

      If you are interested in Linux 2.6 encrypted partition, use dm-crypt together with cryptsetup tool. It's much safer than AES loop and:[...]

      There is a dm-crypt tutorial on Linux Journal: Encrypt Your Root Filesystem [linuxjournal.com].

      It was also published in Spanish by the magazine Mundo Linux [revistaspr...onales.com].

    • Cgd is several years old, its not new at all.
  • GBDE (Score:3, Interesting)

    by kasperd (592156) on Wednesday December 28, 2005 @01:32PM (#14352722) Homepage Journal
    He seems to have a relevant worry about the lack of atomicity when writing to a GBDE encrypted device. However he fails to notice that this happens only because GBDE has addressed a problem which every other disk encryption seems to have ignored. You get certain security advantages from probabilistic encryption. But probabilistic encryption implies the encrypted version must be slightly larger than the clear text.

    More than once has the use of deterministic encryptions lead to weaknesses in disk encryptions. And often the workarounds require additional CPU power. And even the most careful deterministic encryption can never be as secure as a probabilistic encryption.

    GBDE does have probabilistic encryption. This also means that obviously an update requires more than one physical write. Though this could be done securely, the way it is done in GBDE seems to give a risk of data loss/corruption. Some kind of journaling could have solved the problem. Having journaling both in the encryption and in the file system seems to be overkill (and clearly hurts performance), but integrating the two without compromising security is nontrivial. I'd like to see some more research in this area.

    From my description it may sound like from a cryptographic viewpoint GBDE is the best designed disk encryption in existence. Unfortunately it isn't so. It did get some things right, but it seems to be mostly by luck. GBDE uses different pseudo random keys for each sector, however rather than using a standard PRNG, PHK decided to invent his own known as the Cherry Picker. Unfortunately there is a weakness in this generator as the output is not uniformly random.

    To the best of my knowledge GBDE is currently the only disk encryption making use of probabilistic encryption, and none of the disk encryptions in existence make a serious effort at guaranteeing integrity (also known as security against an active adversary).
  • Okay, I RTFA, and still don't see why there is a hyphen in "crypto-graphic" here. I thought perhaps it was some cute way to use a graphics card to do the the encoding, but I think it's (don't laugh) a typo. Please correct me if I'm wrong.
  • by tezza (539307) on Wednesday December 28, 2005 @03:09PM (#14353296)
    I've used this A LOT.

    Cross Crypt - Open Source AES and TwoFish Linux compatible on the fly encryption for Windows XP and Windows 2000. [scherrer.cc]

    It uses the excellent Filedisk [acc.umu.se] to appear as a volume in Explorer.

    It's GPL, sorry to restate that, but I dunno if you read the headline fully or not.

  • Hey -- I'm no crypto, OS or FS guru, how does this compare/differ from Apple's FileFault which provides on the fly encrypt/decrypt of user files? Being an Apple user, I have yet to use the FileVault utility, but it does look enticing, just that encrypting files on my workstation doesn't seem worth the *anticipated* performance hit.

    Perhaps this might be yet another *BSD project that Apple could benefit from ala Konqueror. Or not.
  • Seagate has announced [seagate.com] a laptop disk that does full disc encryption in hardware, without slowing down disc I/O at all. Seems like that makes software solutions (which are subject to reverse engineering, etc.) decidedly inferior.
    • Sure, except that cgd works on memory block devices (useless) and file-backed block devices (pretty useful). And on any disk. And on any platform. And on USB bars and floppy diskettes.

      Nice to hear Seagate is offering a specialty product, but you can have much more versatile encryption for free, and it's easier to administer. How would the Seagate drive get its password? Would you type it in while booting? Or have to use a Windows-specific driver? Or would it memorise it, completely defeating the point of en
  • Would this be easily ported to other BSDs, Linux, or even Windows?

"An organization dries up if you don't challenge it with growth." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...