1

I red the cold boot paper and how they manage to recover the original private key even if it's partially corrupted and it got me thinking.

Suppose you have a fully encrypted disk via, say, truecrypt , if you damage this drive (toss it around or put it on a microwave or drill through it etc).

Can you still decrypt part of the data even if you don't have all of it ? Supposing you have the private key.

If so, how ?

drov
  • 33
  • 3
  • Well I can't tell you how if you don't say what kind of disk encryption it is. It is possible to recover partial data if some parts cannot be read. How exactly this is done depends on the technology used. – Aria Aug 11 '16 at 19:10
  • @Aria, OP mentions truecrypt – user2320464 Aug 11 '16 at 19:12
  • @drov, physical damage to the hard disk prevents data recovery even if you have the private key. http://security.stackexchange.com/questions/100100/how-to-securely-physically-destroy-a-hard-drive-at-home – user2320464 Aug 11 '16 at 19:18
  • Whops. But as disk encryption is usually per "block" of data, if the disk image is taken, there should be no difference in recovery whatever is encrypted or not. If the private key is known that should be not an issue. However if you do destroy the disk properly then it's rather not possible. – Aria Aug 11 '16 at 19:28

1 Answers1

1

Generally, for full-disk encryption, data is encrypted at the block layer (if the entire filesystem was encrypted as one big blob, you'd have to load the whole thing into memory and decrypt it before you could access anything; if you changed just one bit you'd have to re-encrypt and write the entire disk!). This way, if part of the disk goes bad, you don't lose all of your data.

So yes, if part of the disk was intentionally destroyed but the key was available, the remaining data could be decrypted. Without the filesystem table, though, it would just be a bunch of binary data that would have to be parsed into files, but there is software to help with this task.