Saturday, February 16, 2013

How Disk Encryption Works

If you hold sensitive data on your laptop, work or home computer, you may need to implement some sort of disk encryption to keep it secure. This may come in handy when you lose your laptop, or if some attacker makes away with your hard drive (a case of data theft, or some government agency..).

I'll attempt to give a high-level description of disk encryption.

The whole disk is divided into equal sized blocks. A random character string called a key is generated by the system, and is passed to an encryption function, together with the contents of each block of the disk, and the output is stored on the disk. This data therefore looks like some random gibberish without meaning.

Any person who accesses this storage device cannot derive the unconcealed form of the data.

When the block data needs to be decrypted, the stored data is passed to a decryption function, together with the key that was used in the encryption process, to derive the unconcealed version. The security of the encrypted data therefore depends on the secrecy of the key.

One way of protecting the key is to store it on an external storage device, such as a flash-drive, and this is inserted into the system whenever the owner wants to boot up the computer. Another technique is to store it on an unencrypted part of the hard drive, and protect it with a passphrase, which the owner enters at boot time to retrieve the key. In UNIX-like systems, this may be in the /boot partition.

In the latter case, the owner needs to select a strong passphrase.

Once the key is available to the system, any data that is loaded to the memory is decrypted on the fly, and any data being written to the disk is similarly encrypted. Thus, if the attacker gains access to the system while it is on, disk encryption may not help.

That is, hopefully, an understandable  high-level description of disk encryption. In real sense, the actual implementation is more complex. See the document here for details.

If you understand deeply disk encryption, feel free to correct any errors or clarify any ambiguities in the blog comments.

No comments:

Post a Comment