2

How is the data key used for full disk encryption protected? Is a wrapping key derived from the password, or is it simply unlocked once the password has been supplied? If an existing or proprietary key derivation mechanism is used, where would the key derivation mechanism be defined? How is access to the drive protected with regards to dictionary attacks? Is it possible to try any number of passwords (once the drive is directly accessible to an attacker)?

I've been trying to read a lot of documentation, especially on the pages of the Trusted Computing Group, but I cannot find any information on the subject. I have only found out that the data key is generally always used and that it is unlocked using the password.

If there is no generic method, then how is it protected on A-brand disks such as Intel SSD's and Samsung SSD's?

References to the right standard documents or user manuals are highly appreciated.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Maarten Bodewes
  • 4,562
  • 15
  • 29
  • Great question, I imagine this varies heavily by device type and manufacturer (for example I could give a good answer about Android FDE, but it probably doesn't apply to Intel SSDs). I've bolded that part for people who skim. – Mike Ounsworth Aug 23 '16 at 12:26
  • Some digging around this site found [this answer](http://security.stackexchange.com/a/5665/61443) which has no citations, but suggests that the AES key is stored in the clear on the disk's non-volatile RAM (NVRAM). You've got me curious now :P – Mike Ounsworth Aug 23 '16 at 12:34
  • Related question from yesterday with some good links in the comments: http://security.stackexchange.com/q/134564/61443 – Mike Ounsworth Aug 23 '16 at 13:26

1 Answers1

-1

I like the disk encryption wiki from valinux. It is reasonable to assume most disk encryption schemes work in a very similar manner, and may be implemented entirely based on well-established open standards.

I would go so far as saying that if you discover anything proprietary in a disk encryption scheme, to stay away from it since it could very well conceal a backdoor. PBKDF2 is a fairly popular and standards based key derivation function. AES is most likely the encryption algorithm of choice, preferably with 256 bits, and if you want one of its stronger variants, look for GCM.

Copied some informative diagrams below from the wiki.

╭┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈╮                        ╭┈┈┈┈┈┈┈┈┈┈┈╮
┊ mount passphrase ┊━━━━━⎛key derivation⎞━━━▶┊ mount key  ┊
╰┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈╯,───⎝   function  ⎠     ╰┈┈┈┈┈┬┈┈┈┈┈╯
╭──────╮            ╱                               │
│ salt │───────────´                                │
╰──────╯                                            │
╭─────────────────────╮                             ▼         ╭┈┈┈┈┈┈┈┈┈┈┈┈╮
│ encrypted master key│━━━━━━━━━━━━━━━━━━━━━━(decryption)━━━▶┊ master key ┊
╰─────────────────────╯                                       ╰┈┈┈┈┈┈┈┈┈┈┈┈╯

                          ╭┈┈┈┈┈┈┈┈┈┈┈┈╮
                          ┊ master key  ┊
  file on disk:           ╰┈┈┈┈┈┬┈┈┈┈┈┈╯
 ┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐        │
 ╎╭───────────────────╮╎        ▼          ╭┈┈┈┈┈┈┈┈┈┈╮
 ╎│ encrypted file key│━━━━(decryption)━━━▶┊ file key ┊
 ╎╰───────────────────╯╎                   ╰┈┈┈┈┬┈┈┈┈┈╯
 ╎┌───────────────────┐╎                         ▼            ┌┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┐
 ╎│ encrypted file    │◀━━━━━━━━━━━━━━━━━(de/encryption)━━━▶┊ readable file  ┊
 ╎│ contents          │╎                                      ┊ contents       ┊
 ╎└───────────────────┘╎                                      └┈┈┈┈┈┈┈┈┈┈┈┈┈┈┈┘
 └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘

In a nutshell:

  • Passphrase you will need to remember, and enter in order to mount the disk or partition.
  • Passphrase churned through key derivation function to generate master key. There should be enough iterations such that it takes the function ~1s to process on your computer.
  • Master key then be used to decrypt a keystore file, which contains a file key that is actually used to actually decrypt or encrypt your disk data.

Q. Why not have a master key that directly encrypts your data, why separate master key and file key?

A. If you decide to change your passphrase you have then have to re-encrypt your disk for the master key only scheme. On the other hand, if you have a separate master and file key, then if you change your passphrase you only need to re-encrypt the file key.

HTLee
  • 1,772
  • 15
  • 30