RE: [Full-Disclosure] harddisk encryption

From: Lentila de Vultur (ledeve_at_gmx.net)
Date: 02/16/05

  • Next message: Martin Pitt: "[Full-Disclosure] [USN-83-1] LessTif 2 vulnerabilities" 
    Date: Wed, 16 Feb 2005 15:20:38 +0100 (MET)
To: <Glenn_Everhart@bankone.com>

    my comments to your comments:

    > 1. If the encryptor encrypts your boot disk, it has to be involved early
    > in the
    > boot process and may be broken by anything that changes the system boot
    > sequence.
    > On the whole such a product would likely need two different drivers, one
    > of which
    > would change BIOS behavior, and the other of which would change runtime
    > OS behavior, and they must be in synch with one another.
    >
    > This is fine until you decide to change operating systems, at which
    > point the boot
    > may change and make your old data suddenly disappear. Things on the other
    > hand are
    > easier if the encrypting disk product only encrypts data devices
    > (including virtual
    > disks) since only one driver need be used.

    in this case you can unencrypt the drive, do the neccessary changes, and
    re-encrypt it. con: it's time-consuming.
     
    > 2. In the event of disk crash or emergency, unless a tool is provided to
    > allow you
    > to access the encrypted disk from somewhere else, anything which causes an
    > OS to
    > become non bootable may be unfixable. You would not normally want such a
    > tool online,
    > but when you need it, you REALLY need it.

    such tools are provided (at least for utimaco and securstar). and they are
    small enough to fit on a floppy. of course you need to provide proper
    credentials to decrypt anything. the possibility to save the encryption keys
    and user authetication data is also provided.

     
    > 4. An interesting question to ask of such a package is whether the data in
    > any
    > disk block is a cipher depending only on a fixed key and the original
    > data. If so,
    > and the same key is used for every block, there are attacks which can be
    > used
    > to compromise such a system without having to decrypt it all. If on the
    > other hand
    > something else is an input, you need to know what else is used and how it
    > is
    > used and how key scheduling is done, to make any estimate of how strong
    > the
    > cipher really is.

    can you please detail on this? or point me to some documentation.

     
    > The Ultimaco literature suggests that many users may have different
    > passwords to
    > access a computer disk protected by its package. If I were buying it in
    > bulk I
    > would certainly want to know more about how the key management is done to
    > allow
    > this.

    i've asked them. but no answer as yet.

    thanks.

    > -----Original Message-----
    > From: full-disclosure-bounces@lists.netsys.com
    > [mailto:full-disclosure-bounces@lists.netsys.com]On Behalf Of Lentila de
    > Vultur
    > Sent: Tuesday, February 15, 2005 10:05 AM
    > To: full-disclosure@lists.netsys.com
    > Subject: [Full-Disclosure] harddisk encryption
    >
    >
    > hi,
    >
    > sorry for my late answer and for breaking the thread. below you can find
    > the
    > original post:
    >
    > <>
    > i'm evaluating a software that performs harddisk encryption for deploying
    > in
    > my company. the software in question is utimaco safeguard easy v4.10
    > (www.utimaco.com) running on w2k.
    >
    > i am interested in communitty's oppinion about this product. has anyone
    > performed a detailed analysis of it? i googled around but i couldn't find
    > much information, except that the version 3.20 sr1 has earned an eal3
    > certification from the german federal agency for it security.
    > </>
    >
    >
    > thank you for all your answers and suggestions on and off the list.
    >
    > what i like at safeguard easy are the possibility to encrypt full
    > harddisks,
    > not only files or partitions, and the boot authentication. Frank Knobbe
    > suggested encryption plus hard disk from pc guardian - I asked for an
    > evaluation copy. google suggested also drive crypt plus pack -
    > www.securstar.com.
    >
    > imho, the main disadvantage of pgpdisk and alike compared with
    > full-encryption tools is that valuable data can remain unencrypted in the
    > swap file or in temporary files outside the container. When using full
    > harddisk encryption tools no extra user interaction is required,
    > everything
    > is done transparently. there is no need for user training.
    >
    >
    > --
    > this e-mail is certified content-free.
    >
    > Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
    > GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    > **********************************************************************
    > This transmission may contain information that is privileged, confidential
    > and/or exempt from disclosure under applicable law. If you are not the
    > intended recipient, you are hereby notified that any disclosure, copying,
    > distribution, or use of the information contained herein (including any
    > reliance thereon) is STRICTLY PROHIBITED. If you received this
    transmission in
    > error, please immediately contact the sender and destroy the material in
    its
    > entirety, whether in electronic or hard copy format. Thank you
    > **********************************************************************
    >
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    > 

    -- 
this e-mail is certified content-free.
DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Martin Pitt: "[Full-Disclosure] [USN-83-1] LessTif 2 vulnerabilities"

    Relevant Pages

    • Re: New laptop - resize win partition?
      ... Torfinn> Only one small snag - the disk is encrypted (with ... which means that I'll have to boot ... having both the encrypted Windows volume and an unencrypted FreeBSD ... talk the client CISO into letting me install the disk encryption ...
      (comp.unix.bsd.freebsd.misc)
    • RE: [Full-Disclosure] harddisk encryption
      ... If the encryptor encrypts your boot disk, it has to be involved early in the ... boot process and may be broken by anything that changes the system boot sequence. ... normally when the encryption keys had been entered. ... registry controls that allow the swap file to be wiped on shutdown. ...
      (Full-Disclosure)
    • Re: win 2k file encryption
      ... >Installed new disk in computer and put windows 2k pro on it. ... I thought that administrator was default recovery agent. ... >The other HD is dead and I can't boot from it any more. ... you enabled the encryption, so you need to understand the next line. ...
      (sci.crypt)
    • Re: Booting a GELI encrypted hard disk
      ... a GELI encrypted hard disk, ... someone needs your data, he can dump encrypted partition, trojan your ... My knowledge of encryption at the storage level is limited at best... ... that when rebooted, does not boot (thumb drive can be removed once ...
      (freebsd-questions)
    • Re: Boot Problem
      ... Was either disk set up as a Microsoft dynamic disk? ... Do not change the boot sector signature. ... I ensure all OK by swapping over drives. ... installing XP as it insisted there was no drive to install itself on! ...
      (microsoft.public.windowsxp.hardware)
    Loading