[unisog] OT: Putting Encyption Functions in the HDDs

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Apr 26 06:09:30 GMT 2006


On Fri, 21 Apr 2006 10:53:16 PDT, Saqib Ali said:

> In software encryption, the security-key and password is controlled
> above the OS. Therefore the security is not perfect. Also with
> software based solutions, full encryption is not possible, because the
> encryption process creates temporary files. With hardware based
> solutions this is not a problem since the security-key and password in
> a separate part of the HDD, and no need for temporary files. Plus
> hardware encryption is a lot faster then software enryption.

I am *totally* surprised that nobody is noticing that if the keys and the
crypto live on the disk, then merely removing the encrypted disk from one
machine and plugging it into another will Just Work (think for a bit - either
the crypto is invisible to the host machine, in which case nothing happens, or
the crypto requires interaction with the host box - and the disk can't really
tell if it's connecting to its original home or not.. so a new box pretending
to be the original will connect Just Fine).

So this really only stops attackers who crack the case and access the platters
without the assistance of the drive's electronics.  And what attacker does *that*
if the disk can be read without cracking the case? ;)

It's possible to do crypto on a disk that won't allow the easy migration of
the disk to another box - but that requires some serious handshaking with the
BIOS (a TPM-equipped system can probably do it *if* the BIOS and OS are cooperating).
Note that BIOS interaction is needed, because you need to set up the crypto
before the real OS boots (as otherwise the OS is trying to boot from a crypted
area it can't read....)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060426/af8f0b62/attachment.bin


More information about the unisog mailing list