Techniques and Solutions for Storage Encryption

Vittorio Giovara

February 20, 2008 Contents

1 Introduction 3 1.1 Overview ...... 3 1.2 Basics of File Storage ...... 3 1.2.1 Files and Filesystem ...... 3 1.2.2 Disk partition ...... 4 1.2.3 Master Boot Record ...... 4 1.2.4 Loop Device ...... 4 1.3 Solutions ...... 4

2 Modern Techniques 5 2.1 Full Disk Encryption ...... 5 2.2 Virtual Disk Encryption ...... 6 2.3 Volume Encryption ...... 6 2.4 File/Folder Encryption ...... 6 2.5 Other Solutions ...... 6

3 Solution Analisys 8 3.1 Possible Problems ...... 8 3.1.1 Advantages/Disadvantages Summary ...... 8 3.2 Cryptoghaphic Concerns and Management ...... 9 3.3 Authentication Issues ...... 10 3.4 Selection Aspects ...... 10

4 Current Implementations and Benchmarks 11 4.1 TrueCrypt 5.0 ...... 11 4.1.1 TrueCrypt for Linux ...... 11 4.1.2 TrueCrypt for Windows ...... 11 4.1.3 TrueCrypt for Mac OS X ...... 11 4.2 BestCrypt ...... 12 4.2.1 BestCrypt for Linux ...... 12 4.2.2 BestCrypt for Windows ...... 12 4.3 Operating System Integrated Solutions ...... 12 4.3.1 Linux - dm-crypt ...... 12 4.3.2 Windows - EFS ...... 13 4.3.3 Mac OS X - FileVault ...... 13 4.4 Final Benchmarks ...... 13 4.4.1 Volume Encryption ...... 14 4.4.2 Virtual Disk Encryption ...... 15 4.4.3 Full Disk Encryption ...... 17

Bibliography 20

A Test script 21

1 List of Tables

4.1 Volume Encryption perfomance test #1 (one file from single bytes)...... 14 4.2 Volume Encryption perfomance test #2 (one file from blocks of 1024 bytes)...... 14 4.3 Volume Encryption perfomance test #3 (one file from blocks of 4096 bytes)...... 14 4.4 Volume Encryption perfomance test #4 (multiple files from single bytes)...... 15 4.5 Volume Encryption perfomance test #5 (multiple files from blocks of 1024 bytes)...... 15 4.6 Volume Encryption perfomance test #6 (multiple files from blocks of 4096 bytes)...... 15 4.7 Virtual Disk Encryption perfomance test #1 (one file from single bytes)...... 16 4.8 Virtual Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes)...... 16 4.9 Virtual Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes)...... 16 4.10 Virtual Disk Encryption perfomance test #4 (multiple files from single bytes)...... 16 4.11 Virtual Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes). . . . . 17 4.12 Virtual Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes). . . . . 17 4.13 Full Disk Encryption boot time test...... 17 4.14 Full Disk Encryption perfomance test #1 (one file from single bytes)...... 17 4.15 Full Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes)...... 18 4.16 Full Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes)...... 18 4.17 Full Disk Encryption perfomance test #4 (multiple files from single bytes)...... 18 4.18 Full Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes)...... 18 4.19 Full Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes)...... 19

2 Chapter 1

Introduction

HISDOCUMENTWILL focus on the current theories and actual implementations of the storage encryption T technology. A brief introduction to the problem of securing data on hardware devices will be provided, along with some basics about ﬁle storage techniques, in order to fully understand the main issues. Afterwards this document will present the main solutions analizing the advantages and disadvantages of each one, taking in consideration encryption and authentication concerns. Finally some related open source programs.currently available will be showed, testing the performance impact of each adopted solution.

1.1 Overview

Due to the pervasive presence of computer systems in every aspect of modern life, there has been mayor concern regarding the protection and conﬁdenciality of data and information stored in hardware devices, such as hard disks, USB drives, portable CD/DVD and memory cards. Malicious actions can be performed in order to obtain access to sensitive data and commit identity theft, industrial secrets disclosure, fraud and privacy violation in general. To avoid unauthorized access to private information it has been suggested to adopt symmetric encryption (quickier than asymmetric encryption for large quantities of data) on such devices, making impossibile to dispose of such data without proper authentication and proper access rights. This way data is protected from unauthorized read even in case of loss of device. Encryption is very effective, as it can be applied to single ﬁles (granularly) or to the whole volume, but its introduction can cause some disadvantages, like backup problems, recovery of lost keys, operating system integration, performance impact and centralized management drawbacks.

1.2 Basics of File Storage

In order to understand how the technologies for storage encryption work, it is important to have some basic knowledge about how ﬁles are stored on disk and how the operating system interacts with the ﬁlesystem. Here is presented a brief description of some of the recurring aspects in the solutions later discussed..

1.2.1 Files and Filesystem The computer stores data into an abstract data type, called file, that allows to organize and access information according to the operating system implementation. Files are usually stored on non volatile devices for preserving their state even withouth power supply; such devices can be magnetic disks (very common) or flash memory (like memory cards and USB pendrives). The operating system can access files only if the disk is formatted with a filesystem; this means that the device is organized under known patterns as reported by the filesystem. It the filesystem that manages and stores file accordingly onto the device, respecting the address data of clusters and blocks of the disk, and that works as a driver for the operating system when dealing with file attributes, file types, access permission and available operations.

3 1.3 Solutions 4

1.2.2 Disk partition A disk can be formatted only if it has been properly partioned, that is, it has been logically divided in one or multiple indipendent drives. A partition is the logical container of the filesystem; if no filesystem is present the partition is “raw”and can’t be accessed by the operating system (with some exception, like the swap-space in UNIX systems). In IBM PC-compatible disks, the list of the partition is stored in the Partition Table, a 16 bytes field in the Master Boot Record; these kind of disks can hold only four primary partitions, but it’s also possibile to create one extended partition capable of holding up to 128 different partitions. The type of partition is defined in the first byte of the partition table entry (which can also contain inforrmation about the filesystem installed).

1.2.3 Master Boot Record The Master Boot Record is the first sector (512 bytes) of a partitioned data storage device, often called “Sec- tor 0”, and contains important information of the structure of the partitioned disk. In IBM-PC convention, the Master Boot Record holds the primary partition table, four 16 bytes entries, and the bootstrapping code, the code to be executed when the BIOS identifies the first active primaray disk, usually a bootloader, such as LILO or GRUB, or some operating system bootstrap instructions..

1.2.4 Loop Device Loop devices are pseudo-devices that make files accessible as if they were actual physical disks. They can be mounted and formatted like any other storage device, with the difference that the files reside above another filesystem; normally perfomance of loop devices is slower than standard hardware devices.

1.3 Solutions

As reported by [1], the most commonly found solutions for storage encryption are:

• Full Disk Encryption

• Virtual Disk/Volume Encryption

• File/Folder Encryption

Ii is possible to implement nested solution or use other available systems. The following chapter (§2) will describe the operational behaviour of each system alogn with other possibile solutions, while for a more detailed analisys, please consult §3. Sometimes Virtual Disk/Volume Encryption is referred as on-the-ﬂy encryption because ﬁles are immedi- ately accessibile after authentication and the virtual disk is mounted with physical drive emulation. Chapter 2

Modern Techniques

HISCHAPTERWILL present the available technologies created for implementing storage enctryption in T various environment, showing the main purposes and limitations of each method.

2.1 Full Disk Encryption

Full Disk Encryprion is a software based technique that ciphers the whole content of the disk, all files (in- cluding the system ones) present on the device, with a symmetric encryption algorithm (usually the Advanced Encryprion Standard). This method works by redirecting the Master Boot Record code to a Pre Boot Environment instead of the primary operating system; in the Pre Boot Environment the system loads basic drivers for Input/Output and asks the user for authentication (Pre Boot Authentication). After this passage, the computer loads and it decrypts all the files needed during bootstrap; when the operating system is loaded, the user is no more asked for authentication and every file is transparently encrypted or decrypted when it is written or read on disk respectively.

Figure 2.1: Boot sequence for Full Disk Encryption (orginal image at [1])

Full disk encryption is very effective when the device is lost or when the computer is off, as there is no way for data to be disclosed without proper user authentication, but it is very weak in respect to other storage encryption solutions because when the computer is on and the operating system is loaded it doesn’t offer any kind of security or conﬁdenciality at all. On the other hand, this method is very well supported by operating systems, since the encryption is traspar- ent to them, even if modifying the Master Boot Record can generate trouble in dual or multi boot systems (a computer with two operating systems or more). The Master Boot Record is usually checked for integrity at the Pre Boot Environment, so it is not possibile to modify it without proper tools. There are some hardware implementations that, thanks to additional unremovable disk controllers for key and password storage, preserve the Master Boot Record; however they have received poor interest from the market as they cannot be managed centrally and require physical presence for any operation.. The delay and overhead brought by the encryption/decryprion process is tangible only at boot time and when dealing with very large ﬁles.

5 2.2 Virtual Disk Encryption 6

2.2 Virtual Disk Encryption

Virtual Disk Encryption is used for encryption of single or multiple files. The files which need protection are store in a special container, as if it were a folder, and it is afterwards encrypted. A separate software is needed to obtain access to the files saved in the container and all read and write are managed to that software only after authentication. Sometimes it is also possibile to install such software as a kernel module in order to reduce the delay time. If the operating system support single sign-on, it is possibile to configure this solution to automatically authenticate the user through the operating system authentication; in this way it woud be enough for the user using a single password for accesing the operating system and the encrypted file. Even if this can prove to be more functional, it severly lowers the security of the system, so it should be used with caution, The Virtual Disk Encryption method is very portable as it doen’t involve filesystem metadata (path, times- tamps, etc.) nor the operating system support (everything is performed throught the bundled software). Often when the container is copied or moved from the disk to a portable device, also the necessary executable is inserted, making the container accessible from other computes. Thanks to this ease of portability this method is also preferred for making quick backups of the encrypted file.

2.3 Volume Encryption

Volume Encryption adopts the container technology used in Virtual Disk Encryption for protecting a whole disk partition, like in Full Disk Encryption. So it inherits all the properties of both methods, easy and quick backups, external software for accessing the container, transparent for the user as it protects all ﬁles in the volume and portability. Moreover it is possibile to mount this volume container, just like any other disk device, and use it directly without the software (which is alwasy needed for authentication). On the other hand this solution offers lower encryption capabilities than Full Disk Encryption, since it cannot cipher the primary disk where the operating system is installed and so it cannot even protect the memory or the swap ﬁle.

2.4 File/Folder Encryption

File/Folder Encryption is very similar to the Virtual Disk Encryption solution, basically it’s its transparent implementation: the software is directly integrated in the operating system and the container is just a filesystem folder. This method is very performant, as it is possible to encrypt/decrypt single files, instead of the whole container, and since it is directly supported by the filesystem the directory structure and datapath are preserved, without having to move the files in the container. Moreover its integration with the operating system allows some automatic encryption of files written by selected applications, files with a certain extension and files from particular users. Also in this solution it is possible to adopt single sign-on for rapid access to files. One of the main drawbacks of this solution is that external information of files, such as filename, size, type and path, are not (and can’t) be protected, reducing the the level of confidenciality offered.

2.5 Other Solutions

Full Disk Encryption, Virtual Disk/Volume Encrytpion and File/Folder Encryption are not the only available solutions, but are certainly the most adopted. Other methods are less supported by the existing environment and/or require additional actions from the user. One solution involves modification of the application level in order to cipher only the important pieces of information; for example in a database application it is possible to encrypt only the sensitive fields of certain tables, like customers’ private data. Obviously this metodology can be applied in limited occurences and so is rarely applied. Another solution is to let access of important data only through a virtual machine disconnected form the network which is encrypted when not in use. This solution is very similar to the Virtual Disk Encryption but 2.5 Other Solutions 7 offers additional security as it is possible to nest different protection measures and tell apart the important data from the user data; since virtual machine are single files it is very easy to make backups. One final solution consists in forbidding the storage of sensitive information on any device. This is performed in several ways:

• No copies on mobile devices, like PDAs, memory cards or USB drives;

• No copies on CD or DVD if data has not been encrypted;

• Adopting a terminal/client environment, so data can be secured directly on the mainframe and accessed only after user authentication;

• Accessing sensitive data only through secure applications, for example using a web portal to gather and manipulate data over a secure SSL channel (in which it’d be convenient to authenticate both the server and the client). Chapter 3

Solution Analisys

AVING PRESENTED THE MAIN choices of Storage Encryption techniques, in this chapter will be presented H a detailed analisys of general problems in adopting a solution and the theoretical and practical aspects of the encryption process and authentication metodology.

3.1 Possible Problems

After having set up a Storage Encryption environment, many implementation aspects are often not taken care of. For example there is no solution that protects the empty space disk. When deleting a ﬁle often its content is not totally deleted, but its pointer is just deferenced; so using forensic analisys over the empty space it is possibile to restore part or the whole of the ﬁle. Another weak point of the current solutions is that after authentication data is decrypted right away and stored in primary memory with no protection and unauthorized software could fetch sensitive data directly from it. Simirarly there are almost no systems that preseve encryption over copied or moved data. Moreover many software based solutsions keep authentication information like keys and password on the device they are protecting, making it easy prey of malware and malicious attacks. Finally all systems are susceptible to keyloggers, hardware or software devices that keep track of what has been typed on the keyboard, in order to obtain passwords or directly important data itself. On the other hand modern technologies are very compatibile with each other and so it is possible to use several protection systems for the same resource even with different keys each. Moreover the same resource can be shared by multiple users still in encrypted form and decrypted with several different keys; see §3.3 for further details.

3.1.1 Advantages/Disadvantages Summary Here is a brief summary of the advantages and disadvantages of each of the main solutions. Please see §2 for a more detailed description.

Full Disk Encryption + All data on disk is protected and the user hasn’t got to choose which ﬁles to protect;

+ Immediate data destruction, it is just needed to destroy the keys and data will be unreadable;

- Offers no protection whatsoever when the operating system is loaded;

- Limited protection to swap and hibernation ﬁles.

Virtual Disk/Volume Encryption + Only selected content protected;

+ Very portable and easy backup;

8 3.2 Cryptoghaphic Concerns and Management 9

+ Possibile single sign-on for automatic access to encrypted ﬁles;

- No protection to swap ﬁle and primary memory.

File/Folder Encryption + Integrates perfectly with the operating system and the ﬁlesytem;

+ Possibile single sign-on for automatic access to encrypted ﬁles;

- Needs ﬁlesystem support for preserving encryption;

- Less conﬁdenciality offered.

3.2 Cryptoghaphic Concerns and Management

Storage Encryption offers some intersting challenges from the point of view of cryptographic analisys. As a matter of fact a great number of parameters is implementation dependant, like the number and the types of keys used in the cipher, the encryption algorithm and the storage of the hashes of the authentication details (as username and password mustn’t be kept in cleartext). Generally, according to [1], the preferred algorithm for security and performance reasons is the Advanced Encryption Standard (AES) with integrity checking through either HMAC-SHA or Cipher-Based Message Authentication Code (CMAC), or Counter with Cipher Block Chaining-Message Authentication Code (CCM), Please see [1] for additional details. There are two very aspects that affect the classical encryption process. The first one is that there are encrypted files that have to be shared across multiple users. Clearly it is impossible to reuse the same key, because it would be too greatly reduce the security level of the key (and the associated password). So it must be used a triky solution: each single key is used to decrypt another file which contains the single key used to decrypt the actual encrypted data. This procedure is described in more details in §3.3. The other peculiar factor is that since a single loss of a key can make the whole encrypted data unreadable, just as if it would be completely destroyed, there must be some kind of recovery system. This is implemented in several ways like using a special recovery key in addition to the users’ keys. Very often however keys are kept secure in a centralized server that is used for management. As a matter of fact all the described solutions are set up to be controlled and managed remotely from a centrilized computer which is in head for handling many management aspects. Moreover with a centrally managed system it is possible to perfom frequent and easy backup of the sensitive encrypted data and/or of the computer setting. Here is a list of the advantages of a centrally managed environment:

Updates and deploying One of the key factor for a secure storage environment is to keep software updated and be able to deliver to the ﬁnal users quickly;

Configuration As said before, there are many parameters to be configured, not only the algorithms and key, but also some authentication settings (like files accesibile from differnt groups of users, admistrators and single user);

Logs Many programs help to keep track of ﬁle access or password modiﬁcation and having a centralized managent system is necessary for fetching and saving such information;

Recovery Recovery keys when the main key is lost or damaged are stored on the centralized system in order to always keep a safe copy for quick action. Sometimes it is possible to store backups of encrypted data too;

Routine system management Just some control and checks over the running systems. 3.3 Authentication Issues 10

3.3 Authentication Issues

Authentication is another important aspect of a Storage Encryption environment. All the solutions presented are based on a successful authentication for allowing access to encrypted ﬁles. This is achieved with any of the following authenticators (in order of effectiveness against security): single sign-on Access granted via the credentials provided by the operating system; unique password or PIN A normal password-based authentication; token-code Single use codes, obtained from additional hardware, providing one time passwords; token-code with unique password or PIN The union of the two previous factors.

It is possible to use either one-factor authentication or two-factor authentication systems; with the former the authenticator usually grants access to the key used in actual decrypting while with the latter tipically one factor gives access to another factor which is the one used in decrypting information; as [1] reports, a password can be used to retrieve a key from a smart card and use that key to decrypt the storage encryption key. Clearly two-factor authentication is much more secure and the acquisition of either factor doen’t cause the disclosure of the encrypted data. Another interesting aspect of the authentication process is when dealing with encrypted ﬁles accessible from different multiple users. This seems to break the conventional rules of encryption algorithms, but actually the implementation is very simple. The data is encrypted with just a single key which is put in a container or a clear ﬁle; in either ways, the key is repetidely encrypted with as many keys as users. So when a user uses his own password or key to access the data, that password is used to decrypt the ciphered key used in for real access to data. This can prove to be delicate when the key needs updated, but thanks to centrally managed system the process requires very little time for encrypting the main key several times and depoying the secondaray key to the users.

3.4 Selection Aspects

The choice of the Storage Encryption technology should be based on several factor and should not be limited to a single solution. The main aspect on which perform the selection are:

• what needs protection

• what are the authenticators supported

• how does the operating system support the solution

• how is the system managed

• interoperability between different operating systems

• which is the performance impact of the solution

• how are recovery and backups performed Chapter 4

Current Implementations and Benchmarks

N THIS FINAL CHAPTER it will be shown a set of the modern opensource implementations for storage en- I cryption systems; a compehensive list of all the storage encryption software is located at [6]. The analisys will provide a description of the main features and some actual performance tests about the performance impact.

4.1 TrueCrypt 5.0

TrueCrypt is one of the most portable solution as it is available for Windows, Mac OS X and Linux systems and its sources are freely available. It offers lots of cryprographic algorithms too, like AES (default), Blowfish, Serpent, 3DES, Twofish and combination of them; it secures the passwords with RIPEMD-160, SHA-1 or Whirlpool hashes. This tool also gives the possibility to create hidden volumes that are more difficult to identify. Given its portability, every disk image created with TrueCrypt is readable by any version of the software on any operating system; on the othe hand, the disk image format is not standard and can’t be mounted by normal system tools but requires the presence of the software to access the containers.

4.1.1 TrueCrypt for Linux The version for Linux systems installs a command line program that implements only the Virtual Disk/Volume Encryption solution. With the option truecrypt -c it is possible to map a virtual container or a partition as an encrypted volume. Then the user is prompted for selecting the volume size, the cipher, the hash and the filesystem; as standard UNIX tools, it is possible to pass these parameters as command line arguments. After the volume creation it is possible to mount like any other device to a folder, but not with the mount command: it is necessary to mount the container always with the truecrypt program, which will need the correct volume password in order to access it. Now it is possible to use the encrypted volume (or file) like a stardard storage device. The only available filesystem for the container is FAT.

4.1.2 TrueCrypt for Windows The version for Windows offers the Full Disk Encryption and Virtual Disk/Volume Encryption as well. The program has a graphical user interface with the same options of the Linux counterpart: same algorithms, same hashes, possibility to mount the container as a normal volume and so on. The user just needs to follow a graphical wizard where each parameter is somewhat described. For mounting volumes the user has to browse for the image ﬁle and a select drive letter; now it is possible to access the container like a normal drive from My Computer folder. This volume can be formatted in FAT or NTFS ﬁlesystems.

4.1.3 TrueCrypt for Mac OS X The version for Mac OS X has the same graphical user interface of the Windows version, but doesn’t offer the Full Disk Encryption implementation. There are the usual encryption algorithms and hashes and it is possible to mount volumes only with the program itself.

11 4.2 BestCrypt 12

Also in this version the only available ﬁlesystem is FAT.

4.2 BestCrypt

BestCrypt is one of the most used tools for storage encryption and one of the oldest program available (started in 1993). The sources are open for review, but the program is not free: there is a 30-day tryout before purchasing a licence. This software has more parameters of choice with respect to TrueCrypt as it has more encryption algorithms, (like IDEA, CAST and GOST), more hashes for password (like MD5) and supports as many ﬁlesystems as the operating system can (FAT, EXT2/3 and ReiserFS on Linux, FAT and NTFS on Windows). Another interesting feature is that images created by different version of this program are compatible with each other.

4.2.1 BestCrypt for Linux The Linux version offers only Virtual Disk/Volume Encryption implementation. Actually it is more difﬁcult to install than Truecrypt, beacuse it requires some proprietary modules to be loaded into the kernel, and once installed there is no tutorial or wizard for creating volume ﬁles, but needs direct command line arguments from the user. The program bctool requires an action to perform. The most used are:

• new to create a virtual disk or a block volume, with the -a option for selecting the cipher;

• format to format the container with the FAT ﬁlesystem (you can select others with the -t option);

• mount to mount the container like any other device.

4.2.2 BestCrypt for Windows Similarly to TrueCrypt this version of BestCrypt support Virtual Disk/Volume Encryption and Full Disk En- cryption. It offers even more parameters for virtual disks like authentication method (password based, public key or shared secret) and hash functions (most notably SHA-256). Also in this version there is a graphical user interface with a control panel listing all the mounted volumes and the disk images that are possible to be mounted.

4.3 Operating System Integrated Solutions

Here is a presentation of the main security features for storage devices already present in current operating systems.

4.3.1 Linux - dm-crypt Linux world shifts continuosly and new features regarding cryptography are added to the kernel very often. However there is one standard tool to manage the encrypted devices: dm-crypt which stands for Device Mapper for (en)Cryption. It is a kernel tool that maps encrypted disk to standard device files and while authentication and encryption is performed externally by tools like cryptsetup. The format in which the container or the volume is encrypted is standardized by the LUKS project (Linux Unified Key Setup). In this way the container can be created, mounted, managed by different software, even on different operating system; for example FreeOTFE for Windows is capable of handling virtual disks created in Linux and the disks created by FreeOTFE can be mounted in Linux systems. cryptsetup is capable of creating Volume Encryption devices and with Virtual Containers even if the latter requires a loop device already available (operation usually done with losetup; for more information see §1.2.4 or consult [3]). Since it works with dm-crypt which is close to the kernel, it can create encrypted root systems with the Pre-Boot Authentication. This is usually done by editing the bootloader and creating (or modifying if existing) and the initrd.img file; at start up initrd.img is loaded before the kernel and 4.4 Final Benchmarks 13 it generates a subsystem for user authentication, aftet which the system is dynamically decoded and loaded. Regarding this process there is very detailed guide at [7]. The syntax for cryptsetup is a little more complicated with respect to other solutions and there is practically no wizard at all. When dealing with Volume Encryption in general it is necessary to add the prefix luks to standard operation (open, mount, create) and to define the hash and cipher from command line (default AES, RIPEMD-160). The filesystem supported are the same supported by the operating system in which the container is created.

4.3.2 Windows - EFS On Windows system the main file system is NTFS (New Technology File System) and it does support encryption through EFS (Encrypted File System); on top of a NTFS filesystem the metadata of the file (or folder) is changed and the content associated is encrypted with AES-256 (optionally with 3DES or DESX). This feature has been introduced since Windows 2000 and improved in later versions of the system. The latest version supports multiple shared encrypted files, authentication with publc certificate and with smart card and encryption of the swap file. From the point of view of the security, this system is quite laking as the file can still be modified externally (for example renamed) and the file name can still be read (possibly disclosing its content). On the other hand, from the point of view of simplicity, this system is very easy to use, as the steps for encrypting a file are just three: right-click on the file to encrypt. click on Advanced and then check Encrytpt contents to secure data.

4.3.3 Mac OS X - FileVault Machintosh systems offer data protection for the whole home folder of the user; this is generally good, since the user doen’t have to select which ﬁles to protect. However one of its main drawbacks is that solely the home folder is protected, while the rest of the operating system is unprotected; so there is no Full Disk Encryption support and preservation of the encryption of data on external devices is impossible. The adopted algorithm is the Advanced Encryption Standard with a 128 bit key derived directly from the users’ password; when the user is logged on the system, there is no need for insertion of a password, making this solution very transparent. It is also possible to set up a master password for unlocking or restoring a FireVault account, very usefult for recovery. The system implements a Virtual Disk Encyption method as it creates a container of expandable dimensions, moves the contents of the home folder there, encrypts the container and mounts it where the home folder was previously located. This solution is easy to enable, in System Setting, click Security and then Activate FileVault. Latest versions of this software were addressing the performance impact which has been drastically reduced over time. For more information please consult [8].

4.4 Final Benchmarks

In order to understand the performance impact of the different solutions, several tests were run over the encrypted ﬁle systems; more precisely the time was recorded to perform the following operations:

1. write 1 ﬁle of dimension 1B, 1kB, 10kB, 100kB, 1MB, 10MB with sequences of 1 byte;

2. write 1 ﬁle of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 1024 bytes;

3. write 1 ﬁle of dimension 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 4096 bytes;

4. write 100 ﬁles of dimension 1B, 1kB, 10kB, 100kB, 1MB with sequences of 1 byte;

5. write 100 ﬁles of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB with blocks of 1024 bytes;

6. write 100 ﬁles of dimension 100kB, 1MB, 10MB, 100MB with blocks of 4096 bytes. 4.4 Final Benchmarks 14

The tests for Full Disk Encryption were run on a Windows XP machine, Intel Pentium 4 HT 3,8GHz with 2 GB of RAM, 10000rpm 40 GB SATA disk with NTFS. The tests for Virtual Disk/Volume Encryption were run on a Ubuntu Linux 7.10 machine, Intel Core 2 Duo 2,8GHz with 2 GB of RAM, 7200rpm 10 GB SATA disk. The ﬁlesystem adopeted for the tests was FAT so to mantain a layer of compatibility among the different solutions.

4.4.1 Volume Encryption This test put in comparison the performance of physical volumes encrypted with TrueCrypt, BestCrypt and cryptsetup with the performance of a plain ﬁlesystem (FAT). Here is the result of the tests (time expressed in seconds), followed by some analysis: XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 B 0,016 0,015 0,015 0,015 1 kB 0,021 0,021 0,025 0,022 10 kB 0,76 0,075 0,074 0,068 100 kB 0,567 0,539 0,542 0,547 1 MB 5,389 5,478 5,291 5,359 10 MB 54,261 56,157 5,473 55,574

Table 4.1: Volume Encryption perfomance test #1 (one ﬁle from single bytes).

XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 kB 0,015 0,015 0,014 0,016 10 kB 0,015 0,015 0,015 0,016 100 kB 0,02 0,016 0,016 0,018 1 MB 0,03 0,28 0,032 0,034 10 MB 0,131 0,135 0,136 0,137 100 MB 1,2 1,4 3,688 5,168 1 GB 19,005 41,96 53,253 77,42 4 GB 48,899 156,476 200,418 421,747

Table 4.2: Volume Encryption perfomance test #2 (one ﬁle from blocks of 1024 bytes).

XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 100 kB 0,028 0,026 0,015 0,017 1 MB 0,029 0,029 0,022 0,025 10 MB 0,101 0,088 0,104 0,093 100 MB 0,915 1,17 3,328 5,772 1 GB 32,044 39,585 39,592 133,961 4 GB 41,316 153,541 161,019 404,589

Table 4.3: Volume Encryption perfomance test #3 (one ﬁle from blocks of 4096 bytes). 4.4 Final Benchmarks 15

XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 B 0,715 0,715 0,093 0,774 1 kB 1,354 1,559 1,683 1,324 10 kB 6,800 6,668 7,432 6,631 100 kB 55,231 54,039 55,318 60,418 1 MB 210,284 562,170 553,444 543,940

Table 4.4: Volume Encryption perfomance test #4 (multiple ﬁles from single bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 kB 0,396 0,829 0,905 0,765 10 kB 0,398 0,731 1,019 0,831 100 kB 0,545 0,825 1,259 0,957 1 MB 2,485 3,090 5,492 5,757 10 MB 24,901 34,569 59,463 126,050 100 MB 158,549 694,73 452,373 1034,821

Table 4.5: Volume Encryption perfomance test #5 (multiple ﬁles from blocks of 1024 bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 100 kB 0,892 0,873 0,959 0,991 1 MB 2,461 2,192 6,560 5,260 10 MB 14,417 37,550 62,043 60,748 100 MB 143,273 425,355 391,263 968,217

Table 4.6: Volume Encryption perfomance test #6 (multiple ﬁles from blocks of 4096 bytes).

Conclusions From the data of above it is possible to notice that the greatest overhead is tangible when dealing with files greater than 100 MB. Most of the the slowness is due to the old architecture of the targe file system (FAT), but for small files there actually no sensible performance loss. Instead for large files (over the gigabyte) the write time is as much as 10 times greater, but generally is only three or four time slower. Overall, the analized software performed quite well, sometimes even performing better than the plain filesystem, but every solution has problems with large files: cryptsetup is the wrost when dealing with large files, but on the other hand it performs slightly better than others for small files, especially sequential ones; TrueCrypt sustained perfectly all the tests for single files, but was outdo by BestCrypt for handling sequential files; moreover BestCrypt incredibly enhances the performance of file system for files generated by single bytes of considerable dimension (10MB) most likely thanks to heavy buffer usage.

4.4.2 Virtual Disk Encryption This series of tests continues the analysis of presented programs (TrueCrypt, BestCrypt and cryptsetup) by checking the virual container imlpementation. This time there is an unevitable perfomance loss, because containers reside on top of another file system and every opeation must go through a virtual device and then to a physical one. The file system of the target containers is always FAT, guaranteeing coherent tests among the different software. In the following tables the first column describes again the perfomance of a standard FAT disk, in order to fully understand the differnt behaviour. 4.4 Final Benchmarks 16

XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 B 0,016 0,019 0,009 0,015 1 kB 0,021 0,021 0,018 0,022 10 kB 0,076 0,074 0,070 0,069 100 kB 0,567 0,554 0,516 0,563 1 MB 5,389 5,610 5,359 5,229 10 MB 54,261 45,882 27,297 30,505

Table 4.7: Virtual Disk Encryption perfomance test #1 (one ﬁle from single bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 kB 0,015 0,016 0,017 0,015 10 kB 0,015 0,016 0,016 0,017 100 kB 0,020 0,017 0,016 0,018 1 MB 0,030 0,034 0,031 0,028 10 MB 0,131 0,134 0,133 0,129 100 MB 1,200 4,541 5,354 9,605 1 GB 19,005 60,163 70,150 131,113 4 GB 48,999 256,588 286,357 504,603

Table 4.8: Virtual Disk Encryption perfomance test #2 (one ﬁle from blocks of 1024 bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 100 kB 0,026 0,016 0,017 0,015 1 MB 0,029 0,025 0,023 0,024 10 MB 0,101 0,096 0,099 0,131 100 MB 0,915 4,550 5,514 15,981 1 GB 32,044 54,415 66,656 122,605 4 GB 41,346 261,346 264,723 439,648

Table 4.9: Virtual Disk Encryption perfomance test #3 (one ﬁle from blocks of 4096 bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 B 0,715 0,886 1,071 0,888 1 kB 1,354 1,558 1,511 1,946 10 kB 6,800 7,154 7,226 8,078 100 kB 55,231 56,646 56,108 58,125 1 MB 210,284 559,804 559,919 571,746

Table 4.10: Virtual Disk Encryption perfomance test #4 (multiple ﬁles from single bytes). 4.4 Final Benchmarks 17

XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 1 kB 0,396 0,843 0,944 0,830 10 kB 0,398 0,805 0,892 0,902 100 kB 0,545 1,057 1,122 1,156 1 MB 2,485 8,366 9,030 13,320 10 MB 24,901 69,124 86,329 118,151 100 MB 158,549 694,730 702,611 2422,278

Table 4.11: Virtual Disk Encryption perfomance test #5 (multiple ﬁles from blocks of 1024 bytes). XX XX XX Software XX vfat TrueCrypt BestCrypt cryptsetup File size XXX 100 kB 0,892 0,872 0,959 0,861 1 MB 2,461 7,871 6,560 11,762 10 MB 14,417 61,775 62,043 86,259 100 MB 143,273 681,704 699,120 1007,887

Table 4.12: Virtual Disk Encryption perfomance test #6 (multiple ﬁles from blocks of 4096 bytes).

Conclusions As stated before, the perfomance is heavily decreased even for small files, expecally sequences. The file size threshold is again 100 MB, but this time the slowdown consists in 4 to 6 times for big files and up to 15 times for sequential files with respect to a standard filesystem. The charcteristics of the previous results are mantained: cryptsetup behaves better with small files but is almost unusable with large ones, BestCrypt is fantastic for files generated by single bytes, and TrueCrypt performs quite well in most cases.

4.4.3 Full Disk Encryption Another feature of the described programs is that they can encrypt the drive where the operating system is installed on, implementing a Full Disk Encyrption solution. The measures checked the performance impact at system boostrap and under normal workload by running the tests of above (§4.4).

PP PPSoftware PP no encryption TrueCrypt BestCrypt Test PPP Boot time 32,670 38,014 37,017

Table 4.13: Full Disk Encryption boot time test. XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 1 B 0,068 0,070 0,070 1 kB 0,111 0,110 0,110 10 kB 0,467 0,466 0,465 100 kB 4,028 4,107 4,047 1 MB 39,745 43,150 41,615

Table 4.14: Full Disk Encryption perfomance test #1 (one ﬁle from single bytes). 4.4 Final Benchmarks 18

XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 1 kB 0,069 0,070 0,068 10 kB 0,068 0,071 0,069 100 kB 0,074 0,076 0,073 1 MB 0,115 0,120 0,116 10 MB 0,540 0,560 0,551 100 MB 6,113 7,630 7,239 1 GB 60,042 61,478 60,621 4 GB 302,336 293,174 281,187

Table 4.15: Full Disk Encryption perfomance test #2 (one ﬁle from blocks of 1024 bytes). XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 100 kB 0,070 0,068 0,068 1 MB 0,088 0,093 0,090 10 MB 0,296 0,422 0,302 100 MB 6,369 6,340 5,534 1 GB 49,240 76,514 78,760 4 GB 192,774 300,575 292,575

Table 4.16: Full Disk Encryption perfomance test #3 (one ﬁle from blocks of 4096 bytes). XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 1B 3,165 3,310 3,216 1kB 6,976 6,875 6,853 10kB 41,742 42,013 41,870 100kB 390,910 391,540 389,477

Table 4.17: Full Disk Encryption perfomance test #4 (multiple ﬁles from single bytes).

It was not possible to run the 1 MB files test due to the excessive metadata information stored in NTFS file systems when generating files from single bytes.

XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 1kB 2,938 3,100 3,039 10kB 2,973 2,735 2,279 100kB 4,971 3,504 3,454 1MB 7,730 7,947 7,743 10MB 53,159 55,867 59,974 100MB 704,645 737,143 727,411

Table 4.18: Full Disk Encryption perfomance test #5 (multiple ﬁles from blocks of 1024 bytes). 4.4 Final Benchmarks 19

XX XX XX Software XX NTFS TrueCrypt BestCrypt File size XXX 100kB 3,191 3,258 3,252 1MB 5,291 5,679 5,580 10MB 32,397 33,947 34,130 100MB 684,864 728,103 717,615

Table 4.19: Full Disk Encryption perfomance test #6 (multiple ﬁles from blocks of 4096 bytes).

Conclusions It is possible to notice that the overall performance is not heavily chocked: small and big files don’t suffer at all from encryption, even sequential file write is not harmed, while only extremely large files are actually lightly jeopardized. BestCrypt performed really well in the tests and the operations for setting up the encrypted system were very basic. Moreover this software supports memory and swap encryption and suits well in dual boot environments, as it installs a bootloader of its own. Protection is very well performed and in addition, if someone types a wrong password at PBA it is reported that there has been an attempt to access the computer. On the other hand TrueCrypt performed a little worse than BestCrypt and during the set up process incom- patibilies are likely to happen: for example there is no support for dual boot environments and the swap file is not encrypted. However it integrates well with operating system as it perform several checks over the hardware before starting the process and forces the user to create a rescue disk containing information about the backed up the master boot record. Bibliography

[1] K. Scarfone, M. Souppaya, M. Sexton, Guide to Storage Encryption Technologies for End User Devices, NIST Special Pubblication 800-111, 2007

[2] A.Silberschatz, P. B. Galvin, G. Gagne, Operating Systems, Chapter 10-11, Pearson Addison-Wesley, VII Ed., 2006

[3] Wikipedia, the free encyclopedia, Loop device, http://en.wikipedia.org/wiki/Loop device

[4] Wikipedia, the free encyclopedia, Full disk encryption, http://en.wikipedia.org/wiki/Full disk encryption

[5] TrueCrypt, TrueCrypt Documentation, http://www.truecrypt.com/docs

[6] Wikipedia, the free encyclopedia, Comparison of disk encryption software, http://en.wikipedia.org/wiki/Comparison of disk encryption software

[7] Gentoo-Wiki, Security - System Encryption dm-crypt with LUKS, http://gentoo-wiki.com/SECURITY System Encryption DM-Crypt with LUKS

[8] Mac OS X 10.4 Help, About FileVault http://docs.info.apple.com/article.html?path=Mac/10.4/2n/mh1877.html

20 Appendix A

Test script

The tool for running the test was this simple shell script algon with the time utility:

#!/bin/bash for ((i=0;i<$1;i++)) do dd if=/dev/zero of=file.bin bs=$2 count=$3 done

The script requires three parameters: the first for the number of files to generate, the second for the block size and the third for the final file size. During the tests the files generated were always deleted before timing, so not to deal with overwriting times. The program dd was used because it is very efficient for byte and block copy and /dev/zero was chosen as source because it is faster than other (randomized) virtual devices.