File and disk encryption
Milan Brož, xbroz@fi.muni.cz
Faculty of Informatics, Masaryk University
File and disk encryption
2 | PV204 File and disk encryption
Lecture
●
File and disk encryption (data-at-rest)
●
Distributed storage encryption
●
Confidentiality and integrity protection
●
Encryption modes
●
Key management
●
Attacks and common issues
●
We will focus on low-level building blocks
so you can understand storage security in general
MOTIVATION &
STORAGE LAYERS OVERVIEW
File and disk encryption
| PV204 File and disk encryption3
Motivation
Offline, "Data at Rest" protection
notebook, server or external drives, data in cloud, backups
Key removal = easy data disposal
Confidentiality protection
- often enforced policy to encrypt portable devices
- prevents data leaks (stolen device)
Data integrity protection? (not often yet)
4 | PV204 File and disk encryption
Terminology
(Distributed) Storage Stack
layers accessing storage through blocks (sectors)
distributed => storage + network layer
Full Disk Encryption (FDE)
- self-encrypted drives, (software) sector-level encryption
Filesystem-level encryption
- general-purpose filesystem with encryption
- cryptographic file systems
5 | PV204 File and disk encryption
Storage stack & encryption layers
6 | PV204 File and disk encryption
Userspace Application
Application specific
cloud API, database, ...
OS kernel
or drivers in
userspace
Virtual file-system
(directories, files, …)
File-system encryption
Specific file-system
(NTFS, ext4, XFS, APFS…)
Volume Management
(partitions, on-demand allocation,
snapshots, deduplication, …) Disk (sector) encryption
Block layer (sectors I/O)
Storage transport
(USB, SCSI, SAS, SATA, FC, NVMe…) HW-based encryption
self-encrypted drives,
inline (slot) encryption,
chipset-based encryption
Device drivers
“Hardware”
Hardware
(I/O controllers, disks, NAND chips, …)
7 | PV204 File and disk encryption
Software Defined Storage (SDS)
• Commodity hardware with abstracted storage/network logic
• Encryption is “just” one logic function
• Usually combination with classic storage (and encryption)
• Distributed storage – storage + network layer
●
Must use also network layer encryption
●
Note differences in network and storage encryption
(replay attack resistance, integrity protection, …)
8 | PV204 File and disk encryption
Distributed Storage, Cloud & Encryption
Distributed storage – add network layer
• Shared volumes (disk encryption below)
• Clustered file-system (fs encryption)
• Distributed object store (object encryption)
• Cloud data storage - REST API
(not part of this lecture)
●
DropBox, Microsoft OneDrive, Google Drive
Amazon S3, ...
Cloud storage – common features
Deduplication – avoid to store repeated data
Compression
special case: zeroed blocks
Data snapshots (in time)
COW (copy on write)
9 | PV204 File and disk encryption
Cloud storage & encryption
Encryption with storage backend, network access and
compression & deduplication & snapshots …
Encryption on client side (end-to-end)
- inefficiency for deduplication/compression
~ in future homomorphic encryption?
Encryption on server side
- confidentiality for clients is lost
- server can access decrypted data
10 | PV204 File and disk encryption
Full Disk Encryption (FDE)
Block device – disk sector level
• disk, partition, disk image (container)
• ciphertext device / virtual plaintext device
• atomic unit is sector (512 bytes, 4k, 64k)
• consecutive sector numbers
• sectors encrypted independently
One key decrypts the whole device
• media (volume) key – one per device
• unlocking passphrases / keys / tokens
11 | PV204 File and disk encryption
Filesystem-level Encryption
12 | PV204 File and disk encryption
File / Directory
• atomic unit is filesystem block (~ compare sector in FDE)
• blocks are encrypted independently
• Generic filesystems with encryption
• some metadata can be kept in plaintext (name, size, …)
• Cryptographic filesystems
• metadata encrypted
• ~ stacked layer over generic filesystem
Multiple keys / multiple users
File vs. disk encryption
Full disk encryption
+ for notebook, external drives (offline protection)
+ no user decision later what to encrypt, transparency
+ hibernation partition and swap encryption
- more users – whole disk accessible
- key disclosure – complete data leak
+/- self-encrypted drives – you have to trust hw
Examples: Opal2 (SED), LUKS, VeraCrypt, BitLocker, FileVault
13 | PV204 File and disk encryption
File vs. disk encryption
Filesystem based encryption
+ multiple users
+/- user can decide what to encrypt
+ copied files keeps encryption in-place
+ more effective (encrypts used blocks only)
- more complicated sw, usually more bugs
- unusable for swap partitions
Examples: Linux fscrypt API, bcachefs, ZFS, APFS (Apple fs)
14 | PV204 File and disk encryption
File vs. disk encryption - data integrity
- confidentiality, but usually no data integrity protection
- often non-cryptographic parity/checksum only
- fs checksums (CRC, xxhash)
- HW support (DIF - data integrity field)
- usually not large enough
- Linux kernel authenticated encryption
- bcachefs (filesystem)
- dm-integrity + dm-crypt (LUKS2 FDE)
- performance problems
15 | PV204 File and disk encryption
Examples of HW-based encryption
• Self-encrypting drives (SED), Opal2 standard
• Encryption on the same chip providing media access
• Inline encryption
• Slots for keys (through OS context)
• Chipset-based encryption
• Encryption on controller chip (e.g. USB bridge)
• Hardware acceleration
• AES-NI, accelerators, ASICs, GPUs, …
• Secure hardware / tokens
• HSM, TPM, SmartCards, ...
16 | PV204 File and disk encryption
Opal2 - self-encrypting drive
• Trusted Computing Group (TCG) standard
●
many optional features, usually implemented only mandatory
●
single user mode or multiple users, locking ranges
●
shadow boot record (MBR)
●
PSID reset
• Used for SSD or NVMe drives
• Opal - full media encryption
• Pyrite - only authentication, no data encryption
• (other variants - Opalite, enterprise Ruby)
• new KPIO (key-per-io) - multiple keys implanted from OS
17 | PV204 File and disk encryption
DATA ENCRYPTION
File and disk encryption
| PV204 File and disk encryption18
Disk encryption algorithms primitives
l
Symmetric encryption
l Block ciphers
l Cipher block mode + initial vector / tweaks
l Hash, HMAC
l Authenticated encryption (AEAD)
l
l
Key management and key storage
l Random Number Generators (RNG)
l Key Derivation Functions (KDF)
l Key wrapping
l
19 | PV204 File and disk encryption
Data confidentiality, integrity, resilience
20 | PV204 File and disk encryption
Confidentiality
Data are available only to authorized users
Integrity
Data consistency
Data cannot be modified by unauthorized user
=> all modifications must be detected
Note: replay attack (revert to old valid data), detection cannot be provided without separate trusted store.
Resilience
Data integrity can be securely recovered
(Backup, redundancy / replication, error correction, ...)
Data integrity / authenticated encryption
Poor man's authentication (= no authentication)
• User is able to detect unexpected change
• Very limited, cannot prevent old content replacement
Integrity – additional overhead
• Where to store integrity data?
• Encryption + separate integrity data
• Authenticated modes (combines both)
• Tamper Evident Counter (TEC)
• Merkle tree
21 | PV204 File and disk encryption
Combination of features...
Storage performance, reliability and easy to use
• is often enemy to storage cryptographic security :-)
• weak (but fast) algorithms
• non-cryptographic hashes
• redundancy (RAID, FEC - forward error correction)
• deduplication, compression, acess recovery
The goal is to understand threat model and design and implement
system without introducing too many weak points.
There is always a trade-off in storage security for commodity HW.
22 | PV204 File and disk encryption
DATA ENCRYPTION MODES
File and disk encryption
| PV204 File and disk encryption23
Symmetric encryption (examples)
AES, Cammelia, Adiantum, Serpent, Twofish, ...
Confidentiality-only modes
• Storage encryption mostly CBC, XTS
• Length-preserving encryption, block tweak
Authenticated modes (encryption + integrity)
• AES-GCM, (X)ChaCha20-Poly1305, AEGIS
• Integrity protection often on higher layer
24 | PV204 File and disk encryption
Standards
IEEE 1619 – encryption modes for storage
NIST Special Publications (SP) –
ciphers,modes, KDF, password handling, ...
TCG storage – self-encrypted drives
FIPS 140-2, 140-3, Common Criteria (CC)
Many other as IETF RFC documents.
25 | PV204 File and disk encryption
Propagation of plaintext changes
26 | PV204 File and disk encryption
A change in plaintext should transform to randomly-looking
change in the whole ciphertext sector. Solutions?
• Ignore it, and decrease granularity of change
=> change location inside ciphertext sector
• Use wide mode (encryption block size = sector size)
• requires at least 2x encryption loop
• modes are patent encumbered
• Use additional operations
• Elephant diffuser in Windows Bitlocker
• Google Adiantum (cipher composition)
Encryption example output
27 | PV204 File and disk encryption
plaintext ciphertext
Wrongly used encryption – patterns, leaks
28 | PV204 File and disk encryption
ECB mode AES-XTS & constant IV
Cipher-Block-Chaining (CBC) mode
• Blocks cannot be encrypted in parallel
• Blocks can be decrypted in parallel
• Tweak must be non-predictable (watermarking!)
29 | PV204 File and disk encryption
CBC encryption
30 | PV204 File and disk encryption
ciphertext disk / file-system block …
block tweak
plaintext disk / file-system block …
AES block
CBC decryption
31 | PV204 File and disk encryption
ciphertext disk / file-system block …
block tweak
plaintext disk / file-system block …
XOR-Encrypt-XOR (XEX / XTS) mode
• Encryption / decryption can run in parallel
• Two keys – 512-bit key means AES-256
• Tweak can be predictable nonce – sector number (offset)
• Ciphertext stealing not needed for common sector sizes
• Used in most of FDE systems today (2024)
• It is not a wide mode!
• Trade-off for performance
XTS mode encryption/decryption
33 | PV204 File and disk encryption
ciphertext disk / file-system block …
block tweak
CBC vs XTS change propagation
34 | PV204 File and disk encryption
• XTS is trade-off for performance
• For storage, data always aligned
to encryption blocks
XTS: no ciphertext stealing
• Initial vector/tweak is important
• CBC is phased out today
AES-XTS IV mode – sector# vs random
35 | PV204 File and disk encryption
IV is sector number randomized IV
Every 64 byte changed (ciphertext differences)
Adiantum
• Low-end mobile
device disk / file encryption
• Wide “mode”
• HBSB composition:
• Hash – NHPoly1305)
• Block Cipher – AES
• Stream Cipher – XChaCha12,20
• Hash – NHPoly1305
• Key derivation
KAES|| KNHPoly = XChaCha(K,1|0..0)
36 | PV204 File and disk encryption
KAES
KNHPoly
K
Block #
https://eprint.iacr.org/2018/720
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
disk / fs block
Steganography / deniable encryption
Plausible deniability:
Existence of encrypted data is deniable
If adversary cannot prove that it exists
Steganography
Hiding data in another data object
Some more recent examples:
●
TrueCrypt / VeraCrypt - hidden disk
●
Shufflecake - multiple hidden filesystems
37 | PV204 File and disk encryption
Trivial example: VeraCrypt hidden disk
• FAT linear allocation (other fs are very problematic)
• Hide another disk in unallocated space
38 | PV204 File and disk encryption
Deniable encryption problems
Side-channels
●
Tracking activity that cannot be explained for decoy system
●
Software: link to recently open documents, …
Suspicious parameters (FAT), disabled TRIM, …
●
Hardware: internal SSD block allocations
(access to “unused” areas)
Incompatibility with new drives (TRIM)
Note: flash storage is more complicated (NAND chips management, wear-leveling, ...)
With low-level HW access you could detect suspicious patterns.
39 | PV204 File and disk encryption
TRIM / discard and encryption
• TRIM informs SSD drive about unused space
• Unused space is detectable
• Pattern recognition (fs type) example
40 | PV204 File and disk encryption
KEY MANAGEMENT
File and disk encryption
| PV204 File and disk encryption41
Long-term key generation and key store
Encryption key (~ Media Encryption Key – MEK)
• Used to encrypt device
• change means complete reencryption
• Usually generated by a secure RNG
Unlocking key (~ Key Encryption Key – KEK)
• Key wrap (MEK remains the same)
• Can be derived from passphrase
• PBKDF2 (Password Based Key Derivation)
• scrypt, Argon2 (memory-hard KDFs)
dictionary and brute-force resistance
42 | PV204 File and disk encryption
Key storage
Outside of encrypted device / filesystem
• Another device, file, token, SmartCard, TPM, HSM
• On a key server (network)
• Protected by another key – key wrap, key encapsulation
On the same disk (with encrypted data)
• Metadata on-disk – key slots
Integration with key management tools
• LDAP, Active Directory, ...
Combination of above
43 | PV204 File and disk encryption
Key removal and recovery
Key removal (wipe of key) = data disposal
• Intended (secure disk disposal)
• Unintended (error) => complete lost of data
Key recovery
• Trade-off between security and user-friendly approach
• Metadata backups
• Multiple metadata copies
• Key Escrow (key backup to different system)
• Recovery key to regenerate encryption key
44 | PV204 File and disk encryption
ATTACK EXAMPLES
File and disk encryption
| PV204 File and disk encryption45
Attacks always get better, they never get worse.
• Against algorithm design
• Wrongly used encryption mode, IV
• To implementation
• Insufficient entropy (broken RNG)
• Weak derivation from weak passwords
• Side channels
• Obtaining key or passphrase in open form
• Cold Boot
• “Black bag analysis” - Malware, key-logger
• Social engineering, “Rubber-hose cryptoanalysis”
46 | PV204 File and disk encryption
Integrity attacks
No integrity protection
• Inserted random block
=> undetected data corruption
• Inserted block from other part of disk
• Undetected random error (like bit flip) or
erasure (like hw-replaced unreadable sector)
=> “silent data corruption”
Weak integrity protection
• Inserted previous content of (ciphertext) block
=> replay attack
47 | PV204 File and disk encryption
Integrity attacks
48 | PV204 File and disk encryption
FDE attacks – real-world examples
• Some chipsets use ECB mode
• Weak key derivation (brute-force possible)
• Trivial unlocking mode (1-bit password is ok/bad)
• Weak key-escrow (backup key in EEPROM)
• SED – switch power attacks
• SED – ransomware and unconfigured passphrase
• Cold boot – key in memory
• Key loggers
• Weak RNG (key is not random)
• LUKS2 reencryption (forced decryption)
49 | PV204 File and disk encryption
LAB
50 | PV204 File and disk encryption
Laboratory – FDE attack examples
Basic understanding of FDE
VeraCrypt, LUKS, (BitLocker)
Scanning memory image for encryption key
ColdBoot attack principle
HW key-logger attack
Why you have to trust your HW
Sector data integrity, error correction
basic principles demonstrated with cryptsetup tools
Optional: flawed algorithm and watermarking
Revealing legacy TrueCrypt hidden disk existence (CBC)
51 | PV204 File and disk encryption