Difference between revisions of "Full Disk Encryption"
From Forensics Wiki
(Added links to Hitachi & PointSec) |
(Added TrueCrypt, FreeBSD GBDE and GELI, NetBSD CGD, OpenBSD vnconfig and PGPdisk.) |
||
| Line 33: | Line 33: | ||
== Software Solutions == | == Software Solutions == | ||
| + | |||
| + | ; [[TrueCrypt]] | ||
| + | : Transparent full disk encryption for [[Linux]] and [[Windows]. Supports various [[ciphers]]: [[AES]] (256 bit), [[Serpent]] and [[Twofish]]. | ||
| + | : It provides protection from watermarking and inference attacks (volumes cannot be distinguished from random data). | ||
| + | : Supports hidden volumes within TrueCrypt volumes (plausible deniability). | ||
| + | : http://www.truecrypt.org/ | ||
| + | |||
| + | ; [[GBDE]] | ||
| + | : [[GEOM]] Based Disk Encryption. Provides transparent full disk and swap encryption for [[FreeBSD]]. Supported [[ciphers]]: [[AES]] (128 bit). | ||
| + | : Supports hidden volumes and Pre-Boot Authentification. | ||
| + | : Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE. | ||
| + | : http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html | ||
| + | : http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf | ||
| + | |||
| + | ; [[GELI]] | ||
| + | : Cryptographic [[GEOM]] class. Provides transparent full disk encryption for [[FreeBSD]]. Supports various [[ciphers]]: [[AES]], [[Blowfish]] and [[3DES]]. | ||
| + | : Supports hidden volumes and Pre-Boot Authentification. | ||
| + | : http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8 | ||
| + | |||
| + | ; [[CGD]] | ||
| + | : Cryptographic Device Driver. Provides transparent full disk encryption for [[NetBSD]]. | ||
| + | : Supports various [[ciphers]]: [[AES]] (128 bit blocksize and accepts 128, 192 or 256 bit keys), [[Blowfish]] (64 bit blocksize and accepts 128 bit keys) and [[3DES]] (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption). | ||
| + | : http://www.netbsd.org/docs/guide/en/chap-cgd.html | ||
| + | |||
| + | ; [[vnconfig]] | ||
| + | : The -K option of [[OpenBSD]] vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported [[ciphers]]: [[Blowfish]]. | ||
| + | : http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8 | ||
| + | |||
| + | ; [[PGPDisk]] | ||
| + | : Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for [[Windows]]. Also supports [[MacOS]] X 10.4 (non-boot disks only). | ||
| + | : Can use OpenPGP RFC 2440 keys and X.509 keys for authentification. | ||
| + | : Supports USB Tokens for authentification. | ||
| + | : Supported [[ciphers]]: [[AES]] (256 bit keys). | ||
| + | : http://www.pgp.com/products/wholediskencryption/ | ||
; [[BitLocker]] | ; [[BitLocker]] | ||
Revision as of 02:32, 17 December 2007
Full Disk Encryption or Whole Disk Encryption is a phrase that was coined by Seagate to describe their encrypting hard drive. Under such a system, the entire contents of a hard drive are encrypted. This is different from Full Volume Encryption where only certain partitions are encrypted.
Some examples of full disk encryption:
Hardware Solutions
- Network Appliance (Decru)
- http://www.netapp.com/ftp/decru-fileshredding.pdf
- http://www.decru.com/products/pdf/dsEseries.pdf (NetApps DataFort)
- http://www.decru.com/products/ltkm.htm (Decru Lifetime key Management)
- http://www.forensicswiki.org/images/6/6f/Securing_Storage_White_Paper.pdf (Decru white paper)
- Jetico BestCrypt
- http://www.jetico.com/
- Securstar driveCrypt DriveCrypt 4.20 - 1344Bit Hard Disk Encryption
- http://www.securstar.com/products_drivecryptpp.php
- Eracom Technology DiskProtect
- http://www.eracom-tech.com/drive_encryption.0.html
- Hitachi Bulk Data Encryption
- http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
Software Solutions
- TrueCrypt
- Transparent full disk encryption for Linux and [[Windows]. Supports various ciphers: AES (256 bit), Serpent and Twofish.
- It provides protection from watermarking and inference attacks (volumes cannot be distinguished from random data).
- Supports hidden volumes within TrueCrypt volumes (plausible deniability).
- http://www.truecrypt.org/
- GBDE
- GEOM Based Disk Encryption. Provides transparent full disk and swap encryption for FreeBSD. Supported ciphers: AES (128 bit).
- Supports hidden volumes and Pre-Boot Authentification.
- Since data loss can occur on unexpected shutdowns, GELI is recommended instead of GBDE.
- http://www.freebsd.org/cgi/man.cgi?query=gbde&apropos=0&sektion=8&manpath=FreeBSD+6.2-RELEASE&format=html
- http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf
- GELI
- Cryptographic GEOM class. Provides transparent full disk encryption for FreeBSD. Supports various ciphers: AES, Blowfish and 3DES.
- Supports hidden volumes and Pre-Boot Authentification.
- http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8
- CGD
- Cryptographic Device Driver. Provides transparent full disk encryption for NetBSD.
- Supports various ciphers: AES (128 bit blocksize and accepts 128, 192 or 256 bit keys), Blowfish (64 bit blocksize and accepts 128 bit keys) and 3DES (uses a 64 bit blocksize and accepts 192 bit keys (only 168 bits are actually used for encryption).
- http://www.netbsd.org/docs/guide/en/chap-cgd.html
- vnconfig
- The -K option of OpenBSD vnconfig(8) associates and encryption key with the svnd device. Supports saltfiles. Supported ciphers: Blowfish.
- http://www.openbsd.org/cgi-bin/man.cgi?query=vnconfig&sektion=8
- PGPDisk
- Pretty Good Privacy Whole Disk Encryption provides transparent whole disk encryption with Pre-Boot authentification for Windows. Also supports MacOS X 10.4 (non-boot disks only).
- Can use OpenPGP RFC 2440 keys and X.509 keys for authentification.
- Supports USB Tokens for authentification.
- Supported ciphers: AES (256 bit keys).
- http://www.pgp.com/products/wholediskencryption/
- dm-crypt
- Transparent file system and swap encryption for Linux using the Linux 2.6 device mapper. Supports various ciphers and LUKS (Linux Unified Key Setup).
- http://www.saout.de/misc/dm-crypt/
- loop-AES
- Transparent file system and swap encryption for Linux using the loopback device and AES.
- http://sourceforge.net/projects/loop-aes/
- SafeGuard Easy
- Certified according to Common Criteria EAL3 and FIPS 140-2
- Encryption algorithms supported: AES (128 and 256 bit) and IDEA (128 bit)
- Provides complete hard drive encryption including the boot disk.
- http://www.utimaco.us/products
