Full disk encryption software development

Networking/Security Forums -> Security Related Software

Author: akhtisLocation: Belgium PostPosted: Tue Apr 20, 2010 10:10 pm    Post subject: Full disk encryption software development
First excuse me for my English, It is not my mother tale so if something is unclear in the following lines, please tell me!

I'm interested in full disk encryption for professional and personal reasons. I Tried a bunch of software but none of them ever meet all of my criteria witch are:

-very strong encryption (AES 256 is enough of course)
-Transparency, no need of a fancy interface. I just want to enter my key before booting my OS's...
-simple and effective: I really don't need features like key changing or keylog protection
-Multi-Boot compatible witch is the most important thing for me and Multi-drive compatible

Based on my new experience in that area after trying Diskcrypt plus pack, truecrypt, PGP encryption, Diskcryptor and a few other, I came with an idea: Since I know exactly what i'm looking for, why can't I program it myself? Of course I'm talking about a very tiny piece of software but I'm not particularly an expert in that matter so I'd like to ask some advices but first let me explain what I had in mind...

What I want is some sort of pre-boot authentication by password, the perfect thing for me would be that the password needed to gain access to the computer is actually the encryption key. I have a very good memory and memorize a 256 sequence of random characters is nothing I'm afraid of. When the user has eventually succeeded the pre-boot authentication, my special program will then chain boot on a bootloader like GRUB for instance, and therefor everything will look at the user's eyes like the system is absolutely not encrypted.

So, what I concretely need is a small program that can encrypt my hard drives, block access of the whole system at boot-level, require an encryption key and then use that key to decrypt my hard drives in real time (independently of the OS running ideally, although I don't know if it is possible on a software basis) and then chainboot on a bootloader like GRUB.

The problem is I don't really know how to start... Do I need to make a bootable partition on my system drive to force the computer to boot on it and run my program that way (that seems quite complicated) or could a small software stored on the MBR like GRUB actually do all this?

I would also like to add a few things:

This is a most serious project. Even if I'm not an expert, I'm ready to learn and/or study hard Very Happy
If all this eventually tends to become usable and functional, I'm clearly willing to publish it as an open-source project or a freeware.

Thank you all in advance for your help.

Author: capiLocation: Portugal PostPosted: Wed Apr 21, 2010 12:53 am    Post subject:
Hi akhtis, welcome to the forums!

Your idea sounds useful indeed, especially the multiboot and compatibility, which is basically where TrueCrypt for example is lacking.

Off the top of my head, the biggest hurdle may be the OS independence. Real mode code will use the BIOS to access the hard drive, so you could just hook the corresponding BIOS services (overwriting the corresponding addresses in the interrupt vector table with your own functions). The problem is with protected mode OSes (e.g. GNU/Linux, Windows NT and later, etc.), which will normally bypass BIOS functions and access the hardware directly through their own drivers.

TrueCrypt implements this functionality for Windows; I am not sure how they actually do it, though. They definitely need some kind of real mode hook in order to intercept disk access by the bootloader. They obviously install a driver on the OS, so they most likely just do the protected mode hooking from there -- their driver is probably registered at service_boot_start level so that it gets loaded alongside the disk drivers. Of course, all of this requires tying yourself to the OS.

I think you should be able to do something similar in Linux, probably hacking around the device mapper, but I've never really looked at the block device part of the kernel.

As for loading your code in the first place, you will of course need something in the MBR to start with. I doubt you'd be able to fit it all in the 446 bytes of space you have there, though. You could do what Grub does, and implement a system of stages: stage 1 is in the MBR, which does the initial work. It would probably ask for the key and then decrypt a second stage that does the real work (somewhere in the first few reserved sectors of the drive, for example).

You might get some good hints from the TrueCrypt folks (or by looking at the program's source code). Try asking over at their forums. Perhaps they might even be interested in volunteers for porting their disk encryption support to Linux...

Author: Fire AntLocation: London PostPosted: Tue Nov 23, 2010 6:24 pm    Post subject:
I second what Capi says. Of the commercial products some implement a small Linux boot environment for user authentication. This has various benefits such as greater support for smartcards and tokens and can provide a richer user interface where as others such as PGP prefer to use a real-mode approach which is smaller and quicker.

You would need to encrypt the real MBR which is used to load the OS to ensure that no one can just bypass your boot sequence. PGP for example stores the real MBR in two separate locations to ensure that it is always available.

You may also want to look at this http://www.pgp.com/products/packages/desktop_pro/#faq8. PGP does have a product which works on OSX, Linux and Windows so it has probably the widest OS support to date.

You will have problems if you plan to implement your encryption technology on SSD's. Pretty much every vendor has got problems with performance at the moment.

Good luck and keep us posted.

Fire Ant

Networking/Security Forums -> Security Related Software

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group