Full Disk Encryption
David Klaftenegger
Department of Information Technology Uppsala University, Sweden
22. March 2019 Caveat Auditor
Background
Software LUKS this talk contains opinions Questions my opinions not the university’s nor do I claim to be an expert ... so expect some imprecision and errors
22 Mar 2019 Full Disk Encryption - Cryptoparty - 2 - David K My choices loss / theft broken device selling device singular access by evil maid
important to you (that I can’t see it) protect in case of • device loss? • theft? • police? • nation state attackers?
What’s the problem?
Why encrypt data?
Background
Software
LUKS
Questions
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K My choices loss / theft broken device selling device singular access by evil maid
(that I can’t see it) protect in case of • device loss? • theft? • police? • nation state attackers?
What’s the problem?
Why encrypt data?
Background important to you
Software
LUKS
Questions
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K My choices loss / theft broken device selling device singular access by evil maid
protect in case of • device loss? • theft? • police? • nation state attackers?
What’s the problem?
Why encrypt data?
Background important to you (that I can’t see it)
Software
LUKS
Questions
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K My choices loss / theft broken device selling device singular access by evil maid
What’s the problem?
Why encrypt data?
Background important to you (that I can’t see it) Software protect in case of LUKS • device loss? Questions • theft? • police? • nation state attackers?
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K Why encrypt data? important to you (that I can’t see it) protect in case of • device loss? • theft? • police? • nation state attackers?
My choices loss / theft broken device selling device singular access by evil maid
What’s the problem?
Background
Software
LUKS
Questions
https://www.xkcd.com/538/ https://creativecommons.org/licenses/by-nc/2.5/
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K What’s the problem?
Why encrypt data?
Background important to you (that I can’t see it) Software protect in case of LUKS • device loss? Questions • theft? • police? • nation state attackers?
My choices loss / theft broken device selling device singular access by evil maid
22 Mar 2019 Full Disk Encryption - Cryptoparty - 3 - David K Shouldn’t I use better encryption for more important stuff?
lots of (personal) data on computer difficult to decide what is important encrypt everything by default same security, less effort
Why Full Disk Encryption?
Background Shouldn’t I encrypt only important data Software
LUKS
Questions
22 Mar 2019 Full Disk Encryption - Cryptoparty - 4 - David K Shouldn’t I use better encryption for more important stuff?
encrypt everything by default same security, less effort
Why Full Disk Encryption?
Background Shouldn’t I encrypt only important data Software lots of (personal) data on computer LUKS
Questions difficult to decide what is important
22 Mar 2019 Full Disk Encryption - Cryptoparty - 4 - David K Shouldn’t I use better encryption for more important stuff?
Why Full Disk Encryption?
Background Shouldn’t I encrypt only important data Software lots of (personal) data on computer LUKS
Questions difficult to decide what is important encrypt everything by default same security, less effort
22 Mar 2019 Full Disk Encryption - Cryptoparty - 4 - David K Why Full Disk Encryption?
Background Shouldn’t I encrypt only important data Software lots of (personal) data on computer LUKS
Questions difficult to decide what is important encrypt everything by default same security, less effort
Shouldn’t I use better encryption for more important stuff?
22 Mar 2019 Full Disk Encryption - Cryptoparty - 4 - David K Shouldn’t I encrypt only important data lots of (personal) data on computer difficult to decide what is important encrypt everything by default same security, less effort
Shouldn’t I use better encryption for more important stuff?
Why Full Disk Encryption?
Background
Software
LUKS
Questions
https://www.xkcd.com/538/ https://creativecommons.org/licenses/by-nc/2.5/
22 Mar 2019 Full Disk Encryption - Cryptoparty - 4 - David K Maybe not that important...
From wikipedia:
• Aloaha Crypt Disk • CryptoPro Secure • Scramdisk • FreeOTFE • ArchiCrypt Live Disk for BitLocker • Scramdisk 4 Linux • GBDE • BestCrypt • CryptSync • SecuBox • GELI • BitArmor • Discryptor • SECUDE Secure DataControl • DiskCryptor • GnuPG Notebook • BitLocker • DISK Protect • gocryptfs • SecureDoc • Bloombase Keyparc • Cryptsetup / • Knox • Seqrite Encryption Manager • Boxcryptor Dmsetup • KryptOS • Sentry 2020 • CGD • Dm-crypt / LUKS • LibreCrypt • Softraid / RAID C • CenterTools • DriveCrypt • Loop-AES DriveLock • DriveSentry • McAfee Drive • SpyProof! • Check Point Full Disk GoAnywhere 2 Encryption • Svnd / Vnconfig (SafeBoot) Encryption • E4M • Symantec Endpoint • CipherShed • e-Capsule Private • n-Crypt Pro Encryption • CrossCrypt Safe • PGPDisk • Tcplay • CryFS • eCryptfs • Private Disk • Trend Micro Endpoint Encryption • Cryhod • EgoSecure HDD • ProxyCrypt Encryption (Mobile Armor) • Cryptainer • R-Crypto • EncFS • TrueCrypt • Cryptic Disk • SafeGuard Easy • EncryptStick • USBCrypt • CryptArchiver • SafeGuard Enterprise • FileVault • VeraCrypt • Cryptoloop • SafeGuard • FileVault 2 PrivateDisk • TrueCrypt License • Cryptomator Version 3.0 (legacy • FinalCrypt • SafeHouse code only) • CryptoPro Secure Professional Disk Enterprise • FREE CompuSec • CyberSafe Top Secret
Which Software should I use?
There is a lot of alternatives
Background
Software
LUKS
Questions
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K Maybe not that important...
• CryptoPro Secure • Scramdisk • FreeOTFE Disk for BitLocker • Scramdisk 4 Linux • GBDE • CryptSync • SecuBox • GELI • Discryptor • SECUDE Secure • DiskCryptor • GnuPG Notebook • DISK Protect • gocryptfs • SecureDoc • Cryptsetup / • Knox • Seqrite Encryption Dmsetup • KryptOS Manager • Dm-crypt / LUKS • LibreCrypt • Sentry 2020 • DriveCrypt • Loop-AES • Softraid / RAID C • DriveSentry • McAfee Drive • SpyProof! GoAnywhere 2 Encryption • Svnd / Vnconfig (SafeBoot) • E4M • Symantec Endpoint • e-Capsule Private • n-Crypt Pro Encryption Safe • PGPDisk • Tcplay • eCryptfs • Private Disk • Trend Micro • EgoSecure HDD • ProxyCrypt Endpoint Encryption Encryption (Mobile Armor) • R-Crypto • EncFS • TrueCrypt • SafeGuard Easy • EncryptStick • USBCrypt • SafeGuard Enterprise • FileVault • VeraCrypt • SafeGuard • FileVault 2 PrivateDisk • TrueCrypt License Version 3.0 (legacy • FinalCrypt • SafeHouse code only) Professional • FREE CompuSec • CyberSafe Top Secret
Which Software should I use?
There is a lot of alternatives From wikipedia:
Background • Aloaha Crypt Disk • ArchiCrypt Live Software • BestCrypt LUKS • BitArmor DataControl Questions • BitLocker • Bloombase Keyparc • Boxcryptor • CGD • CenterTools DriveLock • Check Point Full Disk Encryption • CipherShed • CrossCrypt • CryFS • Cryhod • Cryptainer • Cryptic Disk • CryptArchiver • Cryptoloop • Cryptomator • CryptoPro Secure Disk Enterprise
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K Maybe not that important...
Which Software should I use?
There is a lot of alternatives From wikipedia: Background • Aloaha Crypt Disk • CryptoPro Secure • Scramdisk • FreeOTFE • ArchiCrypt Live Disk for BitLocker • Scramdisk 4 Linux Software • GBDE • BestCrypt • CryptSync • SecuBox • GELI LUKS • BitArmor • Discryptor • SECUDE Secure DataControl • DiskCryptor • GnuPG Notebook Questions • BitLocker • DISK Protect • gocryptfs • SecureDoc • Bloombase Keyparc • Cryptsetup / • Knox • Seqrite Encryption Manager • Boxcryptor Dmsetup • KryptOS • Sentry 2020 • CGD • Dm-crypt / LUKS • LibreCrypt • Softraid / RAID C • CenterTools • DriveCrypt • Loop-AES DriveLock • DriveSentry • McAfee Drive • SpyProof! • Check Point Full Disk GoAnywhere 2 Encryption • Svnd / Vnconfig (SafeBoot) Encryption • E4M • Symantec Endpoint • CipherShed • e-Capsule Private • n-Crypt Pro Encryption • CrossCrypt Safe • PGPDisk • Tcplay • CryFS • eCryptfs • Private Disk • Trend Micro Endpoint Encryption • Cryhod • EgoSecure HDD • ProxyCrypt Encryption (Mobile Armor) • Cryptainer • R-Crypto • EncFS • TrueCrypt • Cryptic Disk • SafeGuard Easy • EncryptStick • USBCrypt • CryptArchiver • SafeGuard Enterprise • FileVault • VeraCrypt • Cryptoloop • SafeGuard • FileVault 2 PrivateDisk • TrueCrypt License • Cryptomator Version 3.0 (legacy • FinalCrypt • SafeHouse code only) • CryptoPro Secure Professional Disk Enterprise • FREE CompuSec • CyberSafe Top Secret
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K Maybe not that important...
Which Software should I use?
Background There is a lot of alternatives Software Some selection that you may want to look at: LUKS Questions BitLocker Veracrypt LibreCrypt LUKS ZFS (native filesystem encryption)
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K Which Software should I use?
Background There is a lot of alternatives Software Some selection that you may want to look at: LUKS Questions BitLocker Veracrypt LibreCrypt LUKS ZFS (native filesystem encryption) Maybe not that important...
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K Maybe not that important...
There is a lot of alternatives
Which Software should I use?
Background
Software
LUKS
Questions
https://www.xkcd.com/538/ https://creativecommons.org/licenses/by-nc/2.5/
22 Mar 2019 Full Disk Encryption - Cryptoparty - 5 - David K random master key with eight key slots encrypts any block device (commonly: partition)
LUKS Linux Unified Key Setup
Features
General
Background full encryption vs plaintext metadata Software open source LUKS plausible deniability ("hidden volume") Questions protection against modification operating systems (Linux, Windows, Mac OS X, BSD, ...) multiple keys
22 Mar 2019 Full Disk Encryption - Cryptoparty - 6 - David K random master key with eight key slots encrypts any block device (commonly: partition)
LUKS Linux Unified Key Setup
Features
General (LUKS in bold)
Background full encryption vs plaintext metadata Software open source LUKS plausible deniability ("hidden volume") Questions protection against modification operating systems (Linux, Windows, Mac OS X, BSD, ...) multiple keys
22 Mar 2019 Full Disk Encryption - Cryptoparty - 6 - David K random master key with eight key slots encrypts any block device (commonly: partition)
Features
General
Background full encryption vs plaintext metadata Software open source LUKS plausible deniability ("hidden volume") Questions protection against modification operating systems (Linux, Windows, Mac OS X, BSD, ...) multiple keys
LUKS Linux Unified Key Setup
22 Mar 2019 Full Disk Encryption - Cryptoparty - 6 - David K random master key with eight key slots encrypts any block device (commonly: partition)
General full encryption vs plaintext metadata open source plausible deniability ("hidden volume") protection against modification operating systems (Linux, Windows, Mac OS X, BSD, ...) multiple keys
LUKS Linux Unified Key Setup
Features
Background
Software
LUKS
Questions
https://www.xkcd.com/927/ https://creativecommons.org/licenses/by-nc/2.5/
22 Mar 2019 Full Disk Encryption - Cryptoparty - 6 - David K Features
General
Background full encryption vs plaintext metadata Software open source LUKS plausible deniability ("hidden volume") Questions protection against modification operating systems (Linux, Windows, Mac OS X, BSD, ...) multiple keys
LUKS Linux Unified Key Setup random master key with eight key slots encrypts any block device (commonly: partition)
22 Mar 2019 Full Disk Encryption - Cryptoparty - 6 - David K It’s really easy
Background
Software
LUKS Using LUKS
Questions # cryptsetup −v −−type l u k s −−c i p h e r aes−xts −p l a i n 6 4 −−key−s i z e 256 −−hash sha256 −−i t e r −time 2000 −−use−urandom −−v e r i f y −passphrase luksFormat /dev/mydevice
22 Mar 2019 Full Disk Encryption - Cryptoparty - 7 - David K It’s really easy
Background
Software
LUKS Questions Using LUKS
# cryptsetup −v luksFormat /dev/mydevice
22 Mar 2019 Full Disk Encryption - Cryptoparty - 8 - David K It’s really easy
Background Using LUKS
Software
LUKS # cryptsetup −v luksFormat /dev/mydevice WARNING! Questions ======This will overwrite data on /dev/mydevice irrevocably.
Are you sure? (Type uppercase yes): YES Enter passphrase: correcthorsebatterystaple Verify passphrase: correcthorsebatterystaple Command s u c c e s s f u l .
22 Mar 2019 Full Disk Encryption - Cryptoparty - 9 - David K It’s really easy
Background Using LUKS Software LUKS # cryptsetup luksFormat /dev/mydevice Questions WARNING! ======This will overwrite data on /dev/mydevice irrevocably.
Are you sure? (Type uppercase yes): YES Enter passphrase: correcthorsebatterystaple Verify passphrase: correcthorsebatterystaple
22 Mar 2019 Full Disk Encryption - Cryptoparty - 10 - David K It’s really easy
Using LUKS (optional step)
Background # cryptsetup luksOpen /dev/mydevice crypto Software Enter passphrase for /dev/mydevice:
LUKS correcthorsebatterystaple
Questions # dd if=/dev/zero of=/dev/mapper/crypto # cryptsetup luksClose /dev/mapper/crypto # cryptsetup luskFormat device WARNING! ======This will overwrite data on /dev/mydevice irrevocably.
Are you sure? (Type uppercase yes): YES Enter passphrase: correcthorsebatterystaple Verify passphrase: correcthorsebatterystaple
22 Mar 2019 Full Disk Encryption - Cryptoparty - 11 - David K It’s really easy
Background Software Using LUKS LUKS Questions # cryptsetup luksOpen /dev/mydevice crypto Enter passphrase for /dev/mydevice: correcthorsebatterystaple
# mkfs.ext4 /dev/mapper/crypto # mount /dev/mapper/crypto /home
22 Mar 2019 Full Disk Encryption - Cryptoparty - 12 - David K It’s really easy
Background Software Using LUKS LUKS Questions # cryptsetup luksOpen /dev/mydevice crypto Enter passphrase for /dev/mydevice: correcthorsebatterystaple
# mkfs.ext4 /dev/mapper/crypto # mount /dev/mapper/crypto /home
22 Mar 2019 Full Disk Encryption - Cryptoparty - 13 - David K Questions?
Background
Software
LUKS
Questions
https://www.xkcd.com/1256/ https://creativecommons.org/licenses/by-nc/2.5/ 22 Mar 2019 Full Disk Encryption - Cryptoparty - 14 - David K