GBDE - GEOM Based Disk Encryption Poul-Henning Kamp The FreeBSD Project [email protected] Abstract The everincreasing mobility of computers has made protection of data on digital storage media an important requirement in a number of applications and situations. GBDE is a strong cryptographic facility for denying unau- thorised access to data stored on a ``cold''disk for decades and longer.GBDE operates on the disk(-partition) level allowing anytype of file system or database to be protected. Asignificant focus has been put on the practical aspects in order to makeitpossible to deployGBDE in the real world. 1 1. Losing data left and right mistaken for the plot from a classic Buster Keaton In the last couple of years, gentlemen of the press movie: have repeatedly been able to expose howlaptop com- First a laptop was forgotten and lost in a taxi-cab. puters containing highly sensitive orvery valuable Newpolicy: always drive your own car if you information have been lost to carelessness, theft and in bring your laptop. Then a car was stolen, includ- some cases espionage. [THEREG] ing the laptop in the trunk. Newpolicy: always bring your laptop with you. The next laptop was The scope of the problem is very hard to gauge, since it stolen from a pub while the owner was bowing to is not a subject which the involved persons and, in par- the pressures of nature. Newpolicy: employees ticular,institutions are at all keen on having exposed. are not to carry their own laptops outside the office However, a few data points have been uncovered, at anytime. Laptops will be transported from and revealing that the U.S. Federal Bureau of Investigation to the employees home address by the agencyse- curity force and will be chained and locked to a loses, on average, one laptop every three days. ring in the wall installed by the companyjanitors. [DOJ0227] All requests must be filed 3 days in advance on When a computer is lost, stolen or misplaced, it is very form ##-#. [PRIV] often the case that the computer hardware represents a value which is insignificant compared to the value of the disk contents. More often than not, the only reason 2. Protecting disk contents the press heard about it was that the material on the Protecting the contents of a computer'sdisk can disk was ``hot''enough to makethe loss of control rat- in practice be done in twoways: by physically securing tle people at government level. the disk or by encrypting its contents. While it is easy to blame these incidents on ``user Physical protection is increasingly impossible to imple- error'', as is generally done, doing so makes it a very ment. It used to be that disk drivescould only be hard problem to fix. Human nature being what it is, movedbyforklift, but these days a gigabyte disk is the seems to remain just that. size, but not quite yet the thickness, of a postage stamp. In the absence of technical counter measures, adminis- While computers can be tied down with wires and bars trative measures have been applied, generally with can be put in front of windows, such measures are gen- abysmal results. In one case, a bureaucracyhas han- erally not acceptable, or at least not judged economi- dled the problem according to what could easily be cally justified in anybut the most sensitive operations. That leavesencryption of the disk contents as the only 1 This software was developed for the FreeBSD Project by practical and viable mode of protection, and both the Poul-Henning Kamp and NAI Labs, the Security Research Division practicality and the viability has been somewhat in of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPACHATS re- doubt. search program. Until recently,nearly all aspects of cryptographywere a highly political issue, this has eased a lot in the last couple of years and there now``only''remain a number of rather fundamental questions in the area of law has been subject to both version skew and compatibility enforcement and human rights, which are still unset- problems. tled. With the political issues mostly out of the way,the next 2.3. Disk levelencryption roadblock is practical: While use of cryptographycan Encryption at the disk levelcan protect all data, neverbeentirely transparent, the overhead and work- no matter howtheyare stored, file system, database or load it brings must be reasonable. otherwise. To a user,encryption at the disk levelwould require 2.1. Application levelencryption authentication before the computer can be used, every- Encryption at the application levelhas been thing functioning transparently thereafter,with all disk available for a number of years, primarily in the form content automatically protected. of the PGP [PGP] program. This is about as intrusive Giventhat the programming interface for a disk device and demanding as things can get: the user is explicitly is very simple and practically identical between operat- responsible for doing both encryption and decryption ing systems, there are no technical reasons whythe 2 and must enter the pass-phrase for every operation. same implementation could not be used across several Apart from the inconvenience of this extra workload, operating systems. manyorg anisations would trust their users neither to All in all this is a close to ideal solution from an opera- get this right nor eventowant to get it right. From an tional point of view. institutional point of viewitisimportant that crypto- There are significant implementation issues however. graphic data protection can be made mandatory. In difference from the higher levels, encryption at the disk levelhas no way of knowing a priori which sectors 2.2. Filesystem levelencryption contain data and which sectors do not; neither is knowl- Encryption at the file system levelisatried and edge available about access patterns or relationships acknowledged method of providing protection, but it between individual sectors. suffers from a number of drawbacks, mainly because Where application levelorfile system based encryption no mainstream file systems offer encryption. schemes can key each file individually,adisk based Encrypting file systems are speciality items, which encryption must key each and every sector individually, means increased cost and system administration prob- ev enifitisnot currently used to hold data. lems of all sorts. It has been argued that the encryption ideally should And since practically all operating systems use their happen in the disk-drive,and while there are steps in ownfile system format, cross platform fully functional this direction, theydounfortunately seem to have been file systems are very rare. This means that a typical made for the wrong reasons by the wrong people organisation will have tooperate with a handful of dif- [CPRM], and have consequently not gained acceptance. ferent methods of encryption, which translates to sys- Provided the owner of the computer remains in control tem administration overhead, user confusion and extra of the encryption, I see no reason whyencryption in the effort to pass security and ISO9000 audits. disk drivesshould not gain acceptance in the future. Asecondary,but increasingly important issue is that data which are stored in databases on rawdisk, operat- 3. Whythis is not quite simple ing system paging areas and other such data are not Several implementations have been produced protected by a cryptographic file system. To protect which implement a disk encryption feature by running these would mean adding yet another set of encryption the user provided passphrase through a good quality methods, which leads to a situation which is very hard one-way hash function and used the output as a key to to handle practically and administratively. encrypt all the sectors using a standard block cipher in Finally,file systems have a complexprogramming CBC mode. Aper sector IV for the encryption is typi- interface to the operating system, which traditionally cally derivedfrom the passphrase and sector address using a one-way hash function. Tw o typical examples 2 Interestingly,this is so impractical in real world use that vari- are [CGD] and [LOOPAES]. ous applications with PGP support resort to caching the pass-phrase at the application level, thereby weakening the protection a fair bit. Unfortunately this approach suffers from a number of significant drawbacks, both in terms of cryptographic strength and deployability. available hardware, and is consequently out of the Fordata to stay protected for decades or evenlifetimes, question. sufficient margin must exist not only for technological The third design criterion came from the fact that peo- advances in brute force technology,but also for theoret- ple forget passphrases, and while loosing the entire ical advances in cryptoanalytical attacks on the algo- content of the disk as punishment could be seen as a rithms used. large-calibered educational device, it is not acceptable Protecting a modern disk, typically having a fewhun- from a real world perspective:there must be some kind dred millions of sectors, with the same single 128 or of multiple access paths. 256 bits of key material offers an incredibly large Giventhat GBDE is open source software, there is little amount of data for statistical, differential or probabilis- more than symbolic value in a hierarchical set of tic attacks in the future. passphrases: changing the source code to bypass the Worse, because the sectors contain file system or data- hierarchycannot trivially be prevented. It is also not base data and meta data which are optimised for speed, clear what the hierarchywould control in the first the plaintext sector data typically have both a high place. Since all sectors are treated the same, it cannot degree of structure and a high predictability,offering be used to implement hierarchical access levels, and ample opportunities for statistical and known plaintext implementing a hierarchywhich only affects the key attacks.