Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: harddisk encryption
From: "Lentila de Vultur" <ledeve () gmx net>
Date: Wed, 16 Feb 2005 15:20:38 +0100 (MET)

my comments to your comments:

1. If the encryptor encrypts your boot disk, it has to be involved early
in the
boot process and may be broken by anything that changes the system boot
sequence.
On the whole such a product would likely need two different drivers, one
of which
would change BIOS behavior, and the other of which would change runtime
OS behavior, and they must be in synch with one another.

  This is fine until you decide to change operating systems, at which
point the boot
may change and make your old data suddenly disappear. Things on the other
hand are
easier if the encrypting disk product only encrypts data devices
(including virtual
disks) since only one driver need be used.

in this case you can unencrypt the drive, do the neccessary changes, and
re-encrypt it. con: it's time-consuming.
 
2. In the event of disk crash or emergency, unless a tool is provided to
allow you
to access the encrypted disk from somewhere else, anything which causes an
OS to
become non bootable may be unfixable. You would not normally want such a
tool online,
but when you need it, you REALLY need it.

such tools are provided (at least for utimaco and securstar). and they are
small enough to fit on a floppy. of course you need to provide proper
credentials to decrypt anything. the possibility to save the encryption keys
and user authetication data is also provided.

 
4. An interesting question to ask of such a package is whether the data in
any
disk block is a cipher depending only on a fixed key and the original
data. If so,
and the same key is used for every block, there are attacks which can be
used
to compromise such a system without having to decrypt it all. If on the
other hand
something else is an input, you need to know what else is used and how it
is
used and how key scheduling is done, to make any estimate of how strong
the
cipher really is.

can you please detail on this? or point me to some documentation.

 
The Ultimaco literature suggests that many users may have different
passwords to
access a computer disk protected by its package. If I were buying it in
bulk I
would certainly want to know more about how the key management is done to
allow
this. 

i've asked them. but no answer as yet.



thanks.


-----Original Message-----
From: full-disclosure-bounces () lists netsys com
[mailto:full-disclosure-bounces () lists netsys com]On Behalf Of Lentila de
Vultur
Sent: Tuesday, February 15, 2005 10:05 AM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] harddisk encryption


hi,

sorry for my late answer and for breaking the thread. below you can find
the
original post:

<>
i'm evaluating a software that performs harddisk encryption for deploying
in
my company. the software in question is utimaco safeguard easy v4.10
(www.utimaco.com) running on w2k.

i am interested in communitty's oppinion about this product. has anyone
performed a detailed analysis of it? i googled around but i couldn't find
much information, except that the version 3.20 sr1 has earned an eal3
certification from the german federal agency for it security. 
</>


thank you for all your answers and suggestions on and off the list.

what i like at safeguard easy are the possibility to encrypt full
harddisks,
not only files or partitions, and the boot authentication. Frank Knobbe
suggested encryption plus hard disk from pc guardian - I asked for an
evaluation copy. google suggested also drive crypt plus pack -
www.securstar.com.

imho, the main disadvantage of pgpdisk and alike compared with
full-encryption tools is that valuable data can remain unencrypted in the
swap file or in temporary files outside the container. When using full 
harddisk encryption tools no extra user interaction is required,
everything
is done transparently. there is no need for user training.


-- 
this e-mail is certified content-free.

Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this
transmission in
error, please immediately contact the sender and destroy the material in
its
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
this e-mail is certified content-free.

DSL Komplett von GMX +++ Superg√ľnstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]