Techniques and Solutions for Storage Encryption

Vittorio Giovara

February 20, 2008

Contents

1 Introduction 3
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Basics of File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.1 Files and Filesystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.2 Disk partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.3 Master Boot Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.4 Loop Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Modern Techniques 5
2.1 Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Virtual Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 File/Folder Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 Other Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Solution Analisys 8
3.1 Possible Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1 Advantages/Disadvantages Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Cryptoghaphic Concerns and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Authentication Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4 Selection Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 Current Implementations and Benchmarks 11

4.1 TrueCrypt 5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1 TrueCrypt for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.2 TrueCrypt for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.3 TrueCrypt for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 BestCrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.1 BestCrypt for Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.2 BestCrypt for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3 Operating System Integrated Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3.1 Linux - dm-crypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3.2 Windows - EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3.3 Mac OS X - FileVault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.4 Final Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.4.1 Volume Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.4.2 Virtual Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.4.3 Full Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Bibliography 20

A Test script 21

1
List of Tables

4.1 Volume Encryption perfomance test #1 (one file from single bytes). . . . . . . . . . . . . . . 14
4.2 Volume Encryption perfomance test #2 (one file from blocks of 1024 bytes). . . . . . . . . . . 14
4.3 Volume Encryption perfomance test #3 (one file from blocks of 4096 bytes). . . . . . . . . . . 14
4.4 Volume Encryption perfomance test #4 (multiple files from single bytes). . . . . . . . . . . . 15
4.5 Volume Encryption perfomance test #5 (multiple files from blocks of 1024 bytes). . . . . . . . 15
4.6 Volume Encryption perfomance test #6 (multiple files from blocks of 4096 bytes). . . . . . . . 15
4.7 Virtual Disk Encryption perfomance test #1 (one file from single bytes). . . . . . . . . . . . . 16
4.8 Virtual Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes). . . . . . . . 16
4.9 Virtual Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes). . . . . . . . 16
4.10 Virtual Disk Encryption perfomance test #4 (multiple files from single bytes). . . . . . . . . . 16
4.11 Virtual Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes). . . . . 17
4.12 Virtual Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes). . . . . 17
4.13 Full Disk Encryption boot time test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.14 Full Disk Encryption perfomance test #1 (one file from single bytes). . . . . . . . . . . . . . . 17
4.15 Full Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes). . . . . . . . . . 18
4.16 Full Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes). . . . . . . . . . 18
4.17 Full Disk Encryption perfomance test #4 (multiple files from single bytes). . . . . . . . . . . . 18
4.18 Full Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes). . . . . . . 18
4.19 Full Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes). . . . . . . 19

2
Chapter 1

Introduction

focus on the current theories and actual implementations of the storage encryption
T HIS DOCUMENT WILL
technology. A brief introduction to the problem of securing data on hardware devices will be provided,
along with some basics about file storage techniques, in order to fully understand the main issues. Afterwards
this document will present the main solutions analizing the advantages and disadvantages of each one, taking
in consideration encryption and authentication concerns. Finally some related open source programs.currently
available will be showed, testing the performance impact of each adopted solution.

1.1 Overview
Due to the pervasive presence of computer systems in every aspect of modern life, there has been mayor concern
regarding the protection and confidenciality of data and information stored in hardware devices, such as hard
disks, USB drives, portable CD/DVD and memory cards. Malicious actions can be performed in order to obtain
access to sensitive data and commit identity theft, industrial secrets disclosure, fraud and privacy violation in
general.
To avoid unauthorized access to private information it has been suggested to adopt symmetric encryption
(quickier than asymmetric encryption for large quantities of data) on such devices, making impossibile to
dispose of such data without proper authentication and proper access rights. This way data is protected from
unauthorized read even in case of loss of device.
Encryption is very effective, as it can be applied to single files (granularly) or to the whole volume, but
its introduction can cause some disadvantages, like backup problems, recovery of lost keys, operating system
integration, performance impact and centralized management drawbacks.

1.2 Basics of File Storage

In order to understand how the technologies for storage encryption work, it is important to have some basic
knowledge about how files are stored on disk and how the operating system interacts with the filesystem. Here
is presented a brief description of some of the recurring aspects in the solutions later discussed..

1.2.1 Files and Filesystem

The computer stores data into an abstract data type, called file, that allows to organize and access information
according to the operating system implementation. Files are usually stored on non volatile devices for pre-
serving their state even withouth power supply; such devices can be magnetic disks (very common) or flash
memory (like memory cards and USB pendrives).
The operating system can access files only if the disk is formatted with a filesystem; this means that the
device is organized under known patterns as reported by the filesystem. It the filesystem that manages and
stores file accordingly onto the device, respecting the address data of clusters and blocks of the disk, and that
works as a driver for the operating system when dealing with file attributes, file types, access permission and
available operations.

3
1.3 Solutions 4

1.2.2 Disk partition

A disk can be formatted only if it has been properly partioned, that is, it has been logically divided in one or
multiple indipendent drives. A partition is the logical container of the filesystem; if no filesystem is present the
partition is “raw”and can’t be accessed by the operating system (with some exception, like the swap-space in
UNIX systems).
In IBM PC-compatible disks, the list of the partition is stored in the Partition Table, a 16 bytes field in the
Master Boot Record; these kind of disks can hold only four primary partitions, but it’s also possibile to create
one extended partition capable of holding up to 128 different partitions. The type of partition is defined in the
first byte of the partition table entry (which can also contain inforrmation about the filesystem installed).

1.2.3 Master Boot Record

The Master Boot Record is the first sector (512 bytes) of a partitioned data storage device, often called “Sec-
tor 0”, and contains important information of the structure of the partitioned disk. In IBM-PC convention, the
Master Boot Record holds the primary partition table, four 16 bytes entries, and the bootstrapping code, the
code to be executed when the BIOS identifies the first active primaray disk, usually a bootloader, such as LILO
or GRUB, or some operating system bootstrap instructions..

1.2.4 Loop Device

Loop devices are pseudo-devices that make files accessible as if they were actual physical disks. They can be
mounted and formatted like any other storage device, with the difference that the files reside above another
filesystem; normally perfomance of loop devices is slower than standard hardware devices.

1.3 Solutions
As reported by [1], the most commonly found solutions for storage encryption are:

• Full Disk Encryption

• Virtual Disk/Volume Encryption

• File/Folder Encryption

Ii is possible to implement nested solution or use other available systems. The following chapter (§2) will
describe the operational behaviour of each system alogn with other possibile solutions, while for a more detailed
analisys, please consult §3.
Sometimes Virtual Disk/Volume Encryption is referred as on-the-fly encryption because files are immedi-
ately accessibile after authentication and the virtual disk is mounted with physical drive emulation.
Chapter 2

Modern Techniques

present the available technologies created for implementing storage enctryption in

T HIS CHAPTER WILL
various environment, showing the main purposes and limitations of each method.

2.1 Full Disk Encryption

Full Disk Encryprion is a software based technique that ciphers the whole content of the disk, all files (in-
cluding the system ones) present on the device, with a symmetric encryption algorithm (usually the Advanced
Encryprion Standard).
This method works by redirecting the Master Boot Record code to a Pre Boot Environment instead of
the primary operating system; in the Pre Boot Environment the system loads basic drivers for Input/Output
and asks the user for authentication (Pre Boot Authentication). After this passage, the computer loads and it
decrypts all the files needed during bootstrap; when the operating system is loaded, the user is no more asked
for authentication and every file is transparently encrypted or decrypted when it is written or read on disk
respectively.

Figure 2.1: Boot sequence for Full Disk Encryption (orginal image at [1])

Full disk encryption is very effective when the device is lost or when the computer is off, as there is no
way for data to be disclosed without proper user authentication, but it is very weak in respect to other storage
encryption solutions because when the computer is on and the operating system is loaded it doesn’t offer any
kind of security or confidenciality at all.
On the other hand, this method is very well supported by operating systems, since the encryption is traspar-
ent to them, even if modifying the Master Boot Record can generate trouble in dual or multi boot systems (a
computer with two operating systems or more). The Master Boot Record is usually checked for integrity at
the Pre Boot Environment, so it is not possibile to modify it without proper tools. There are some hardware
implementations that, thanks to additional unremovable disk controllers for key and password storage, preserve
the Master Boot Record; however they have received poor interest from the market as they cannot be managed
centrally and require physical presence for any operation..
The delay and overhead brought by the encryption/decryprion process is tangible only at boot time and
when dealing with very large files.

5
2.2 Virtual Disk Encryption 6

2.2 Virtual Disk Encryption

Virtual Disk Encryption is used for encryption of single or multiple files. The files which need protection are
store in a special container, as if it were a folder, and it is afterwards encrypted. A separate software is needed
to obtain access to the files saved in the container and all read and write are managed to that software only after
authentication. Sometimes it is also possibile to install such software as a kernel module in order to reduce the
delay time.
If the operating system support single sign-on, it is possibile to configure this solution to automatically
authenticate the user through the operating system authentication; in this way it woud be enough for the user
using a single password for accesing the operating system and the encrypted file. Even if this can prove to be
more functional, it severly lowers the security of the system, so it should be used with caution,
The Virtual Disk Encryption method is very portable as it doen’t involve filesystem metadata (path, times-
tamps, etc.) nor the operating system support (everything is performed throught the bundled software). Often
when the container is copied or moved from the disk to a portable device, also the necessary executable is
inserted, making the container accessible from other computes.
Thanks to this ease of portability this method is also preferred for making quick backups of the encrypted
file.

2.3 Volume Encryption

Volume Encryption adopts the container technology used in Virtual Disk Encryption for protecting a whole disk
partition, like in Full Disk Encryption. So it inherits all the properties of both methods, easy and quick backups,
external software for accessing the container, transparent for the user as it protects all files in the volume and
portability.
Moreover it is possibile to mount this volume container, just like any other disk device, and use it directly
without the software (which is alwasy needed for authentication). On the other hand this solution offers lower
encryption capabilities than Full Disk Encryption, since it cannot cipher the primary disk where the operating
system is installed and so it cannot even protect the memory or the swap file.

2.4 File/Folder Encryption

File/Folder Encryption is very similar to the Virtual Disk Encryption solution, basically it’s its transparent
implementation: the software is directly integrated in the operating system and the container is just a filesystem
folder.
This method is very performant, as it is possible to encrypt/decrypt single files, instead of the whole con-
tainer, and since it is directly supported by the filesystem the directory structure and datapath are preserved,
without having to move the files in the container. Moreover its integration with the operating system allows
some automatic encryption of files written by selected applications, files with a certain extension and files from
particular users. Also in this solution it is possible to adopt single sign-on for rapid access to files.
One of the main drawbacks of this solution is that external information of files, such as filename, size, type
and path, are not (and can’t) be protected, reducing the the level of confidenciality offered.

2.5 Other Solutions

Full Disk Encryption, Virtual Disk/Volume Encrytpion and File/Folder Encryption are not the only available
solutions, but are certainly the most adopted. Other methods are less supported by the existing environment
and/or require additional actions from the user.
One solution involves modification of the application level in order to cipher only the important pieces of
information; for example in a database application it is possible to encrypt only the sensitive fields of certain
tables, like customers’ private data. Obviously this metodology can be applied in limited occurences and so is
rarely applied.
Another solution is to let access of important data only through a virtual machine disconnected form the
network which is encrypted when not in use. This solution is very similar to the Virtual Disk Encryption but
2.5 Other Solutions 7

offers additional security as it is possible to nest different protection measures and tell apart the important data
from the user data; since virtual machine are single files it is very easy to make backups.
One final solution consists in forbidding the storage of sensitive information on any device. This is per-
formed in several ways:

• No copies on mobile devices, like PDAs, memory cards or USB drives;

• No copies on CD or DVD if data has not been encrypted;

• Adopting a terminal/client environment, so data can be secured directly on the mainframe and accessed
only after user authentication;

• Accessing sensitive data only through secure applications, for example using a web portal to gather and
manipulate data over a secure SSL channel (in which it’d be convenient to authenticate both the server
and the client).
Chapter 3

Solution Analisys

AVING PRESENTED THE MAIN choices of Storage Encryption techniques, in this chapter will be presented
H a detailed analisys of general problems in adopting a solution and the theoretical and practical aspects of
the encryption process and authentication metodology.

3.1 Possible Problems

After having set up a Storage Encryption environment, many implementation aspects are often not taken care
of. For example there is no solution that protects the empty space disk. When deleting a file often its content
is not totally deleted, but its pointer is just deferenced; so using forensic analisys over the empty space it is
possibile to restore part or the whole of the file.
Another weak point of the current solutions is that after authentication data is decrypted right away and
stored in primary memory with no protection and unauthorized software could fetch sensitive data directly
from it. Simirarly there are almost no systems that preseve encryption over copied or moved data. Moreover
many software based solutsions keep authentication information like keys and password on the device they
are protecting, making it easy prey of malware and malicious attacks. Finally all systems are susceptible to
keyloggers, hardware or software devices that keep track of what has been typed on the keyboard, in order to
obtain passwords or directly important data itself.
On the other hand modern technologies are very compatibile with each other and so it is possible to use
several protection systems for the same resource even with different keys each. Moreover the same resource
can be shared by multiple users still in encrypted form and decrypted with several different keys; see §3.3 for
further details.

3.1.1 Advantages/Disadvantages Summary

Here is a brief summary of the advantages and disadvantages of each of the main solutions. Please see §2 for a
more detailed description.

Full Disk Encryption

+ All data on disk is protected and the user hasn’t got to choose which files to protect;

+ Immediate data destruction, it is just needed to destroy the keys and data will be unreadable;

- Offers no protection whatsoever when the operating system is loaded;

- Limited protection to swap and hibernation files.

Virtual Disk/Volume Encryption

+ Only selected content protected;

+ Very portable and easy backup;

8
3.2 Cryptoghaphic Concerns and Management 9

+ Possibile single sign-on for automatic access to encrypted files;

- No protection to swap file and primary memory.

File/Folder Encryption
+ Integrates perfectly with the operating system and the filesytem;

+ Possibile single sign-on for automatic access to encrypted files;

- Needs filesystem support for preserving encryption;

- Less confidenciality offered.

3.2 Cryptoghaphic Concerns and Management

Storage Encryption offers some intersting challenges from the point of view of cryptographic analisys. As a
matter of fact a great number of parameters is implementation dependant, like the number and the types of
keys used in the cipher, the encryption algorithm and the storage of the hashes of the authentication details (as
username and password mustn’t be kept in cleartext).
Generally, according to [1], the preferred algorithm for security and performance reasons is the Advanced
Encryption Standard (AES) with integrity checking through either HMAC-SHA or Cipher-Based Message
Authentication Code (CMAC), or Counter with Cipher Block Chaining-Message Authentication Code (CCM),
Please see [1] for additional details.
There are two very aspects that affect the classical encryption process. The first one is that there are
encrypted files that have to be shared across multiple users. Clearly it is impossible to reuse the same key,
because it would be too greatly reduce the security level of the key (and the associated password). So it must
be used a triky solution: each single key is used to decrypt another file which contains the single key used to
decrypt the actual encrypted data. This procedure is described in more details in §3.3.
The other peculiar factor is that since a single loss of a key can make the whole encrypted data unreadable,
just as if it would be completely destroyed, there must be some kind of recovery system. This is implemented
in several ways like using a special recovery key in addition to the users’ keys. Very often however keys are
kept secure in a centralized server that is used for management.
As a matter of fact all the described solutions are set up to be controlled and managed remotely from
a centrilized computer which is in head for handling many management aspects. Moreover with a centrally
managed system it is possible to perfom frequent and easy backup of the sensitive encrypted data and/or of the
computer setting. Here is a list of the advantages of a centrally managed environment:

Updates and deploying One of the key factor for a secure storage environment is to keep software updated
and be able to deliver to the final users quickly;

Configuration As said before, there are many parameters to be configured, not only the algorithms and key,
but also some authentication settings (like files accesibile from differnt groups of users, admistrators and
single user);

Logs Many programs help to keep track of file access or password modification and having a centralized
managent system is necessary for fetching and saving such information;

Recovery Recovery keys when the main key is lost or damaged are stored on the centralized system in order
to always keep a safe copy for quick action. Sometimes it is possible to store backups of encrypted data
too;

Routine system management Just some control and checks over the running systems.
3.3 Authentication Issues 10

3.3 Authentication Issues

Authentication is another important aspect of a Storage Encryption environment. All the solutions presented
are based on a successful authentication for allowing access to encrypted files. This is achieved with any of the
following authenticators (in order of effectiveness against security):

single sign-on Access granted via the credentials provided by the operating system;

unique password or PIN A normal password-based authentication;

token-code Single use codes, obtained from additional hardware, providing one time passwords;

token-code with unique password or PIN The union of the two previous factors.

It is possible to use either one-factor authentication or two-factor authentication systems; with the former
the authenticator usually grants access to the key used in actual decrypting while with the latter tipically one
factor gives access to another factor which is the one used in decrypting information; as [1] reports, a password
can be used to retrieve a key from a smart card and use that key to decrypt the storage encryption key. Clearly
two-factor authentication is much more secure and the acquisition of either factor doen’t cause the disclosure
of the encrypted data.
Another interesting aspect of the authentication process is when dealing with encrypted files accessible
from different multiple users. This seems to break the conventional rules of encryption algorithms, but actually
the implementation is very simple. The data is encrypted with just a single key which is put in a container or a
clear file; in either ways, the key is repetidely encrypted with as many keys as users. So when a user uses his
own password or key to access the data, that password is used to decrypt the ciphered key used in for real access
to data. This can prove to be delicate when the key needs updated, but thanks to centrally managed system the
process requires very little time for encrypting the main key several times and depoying the secondaray key to
the users.

3.4 Selection Aspects

The choice of the Storage Encryption technology should be based on several factor and should not be limited
to a single solution. The main aspect on which perform the selection are:

• what needs protection

• what are the authenticators supported

• how does the operating system support the solution

• how is the system managed

• interoperability between different operating systems

• which is the performance impact of the solution

• how are recovery and backups performed

Chapter 4

Current Implementations and Benchmarks

it will be shown a set of the modern opensource implementations for storage en-
I N THIS FINAL CHAPTER
cryption systems; a compehensive list of all the storage encryption software is located at [6]. The analisys
will provide a description of the main features and some actual performance tests about the performance impact.

4.1 TrueCrypt 5.0

TrueCrypt is one of the most portable solution as it is available for Windows, Mac OS X and Linux systems
and its sources are freely available. It offers lots of cryprographic algorithms too, like AES (default), Blowfish,
Serpent, 3DES, Twofish and combination of them; it secures the passwords with RIPEMD-160, SHA-1 or
Whirlpool hashes. This tool also gives the possibility to create hidden volumes that are more difficult to identify.
Given its portability, every disk image created with TrueCrypt is readable by any version of the software on
any operating system; on the othe hand, the disk image format is not standard and can’t be mounted by normal
system tools but requires the presence of the software to access the containers.

4.1.1 TrueCrypt for Linux

The version for Linux systems installs a command line program that implements only the Virtual Disk/Volume
Encryption solution. With the option truecrypt -c it is possible to map a virtual container or a partition
as an encrypted volume. Then the user is prompted for selecting the volume size, the cipher, the hash and the
filesystem; as standard UNIX tools, it is possible to pass these parameters as command line arguments.
After the volume creation it is possible to mount like any other device to a folder, but not with the mount
command: it is necessary to mount the container always with the truecrypt program, which will need the correct
volume password in order to access it. Now it is possible to use the encrypted volume (or file) like a stardard
storage device.
The only available filesystem for the container is FAT.

4.1.2 TrueCrypt for Windows

The version for Windows offers the Full Disk Encryption and Virtual Disk/Volume Encryption as well. The
program has a graphical user interface with the same options of the Linux counterpart: same algorithms, same
hashes, possibility to mount the container as a normal volume and so on. The user just needs to follow a
graphical wizard where each parameter is somewhat described.
For mounting volumes the user has to browse for the image file and a select drive letter; now it is possible
to access the container like a normal drive from My Computer folder. This volume can be formatted in FAT or
NTFS filesystems.

4.1.3 TrueCrypt for Mac OS X

The version for Mac OS X has the same graphical user interface of the Windows version, but doesn’t offer the
Full Disk Encryption implementation. There are the usual encryption algorithms and hashes and it is possible
to mount volumes only with the program itself.

11
4.2 BestCrypt 12

Also in this version the only available filesystem is FAT.

4.2 BestCrypt
BestCrypt is one of the most used tools for storage encryption and one of the oldest program available (started in
1993). The sources are open for review, but the program is not free: there is a 30-day tryout before purchasing
a licence.
This software has more parameters of choice with respect to TrueCrypt as it has more encryption algorithms,
(like IDEA, CAST and GOST), more hashes for password (like MD5) and supports as many filesystems as the
operating system can (FAT, EXT2/3 and ReiserFS on Linux, FAT and NTFS on Windows). Another interesting
feature is that images created by different version of this program are compatible with each other.

4.2.1 BestCrypt for Linux

The Linux version offers only Virtual Disk/Volume Encryption implementation. Actually it is more difficult
to install than Truecrypt, beacuse it requires some proprietary modules to be loaded into the kernel, and once
installed there is no tutorial or wizard for creating volume files, but needs direct command line arguments from
the user.
The program bctool requires an action to perform. The most used are:

• new to create a virtual disk or a block volume, with the -a option for selecting the cipher;

• format to format the container with the FAT filesystem (you can select others with the -t option);

• mount to mount the container like any other device.

4.2.2 BestCrypt for Windows

Similarly to TrueCrypt this version of BestCrypt support Virtual Disk/Volume Encryption and Full Disk En-
cryption. It offers even more parameters for virtual disks like authentication method (password based, public
key or shared secret) and hash functions (most notably SHA-256).
Also in this version there is a graphical user interface with a control panel listing all the mounted volumes
and the disk images that are possible to be mounted.

4.3 Operating System Integrated Solutions

Here is a presentation of the main security features for storage devices already present in current operating
systems.

4.3.1 Linux - dm-crypt

Linux world shifts continuosly and new features regarding cryptography are added to the kernel very often.
However there is one standard tool to manage the encrypted devices: dm-crypt which stands for Device Mapper
for (en)Cryption. It is a kernel tool that maps encrypted disk to standard device files and while authentication
and encryption is performed externally by tools like cryptsetup.
The format in which the container or the volume is encrypted is standardized by the LUKS project (Linux
Unified Key Setup). In this way the container can be created, mounted, managed by different software, even on
different operating system; for example FreeOTFE for Windows is capable of handling virtual disks created in
Linux and the disks created by FreeOTFE can be mounted in Linux systems.
cryptsetup is capable of creating Volume Encryption devices and with Virtual Containers even if the
latter requires a loop device already available (operation usually done with losetup; for more information
see §1.2.4 or consult [3]). Since it works with dm-crypt which is close to the kernel, it can create encrypted
root systems with the Pre-Boot Authentication. This is usually done by editing the bootloader and creating (or
modifying if existing) and the initrd.img file; at start up initrd.img is loaded before the kernel and
4.4 Final Benchmarks 13

it generates a subsystem for user authentication, aftet which the system is dynamically decoded and loaded.
Regarding this process there is very detailed guide at [7].
The syntax for cryptsetup is a little more complicated with respect to other solutions and there is
practically no wizard at all. When dealing with Volume Encryption in general it is necessary to add the prefix
luks to standard operation (open, mount, create) and to define the hash and cipher from command line (default
AES, RIPEMD-160). The filesystem supported are the same supported by the operating system in which the
container is created.

4.3.2 Windows - EFS

On Windows system the main file system is NTFS (New Technology File System) and it does support encryption
through EFS (Encrypted File System); on top of a NTFS filesystem the metadata of the file (or folder) is changed
and the content associated is encrypted with AES-256 (optionally with 3DES or DESX). This feature has been
introduced since Windows 2000 and improved in later versions of the system.
The latest version supports multiple shared encrypted files, authentication with publc certificate and with
smart card and encryption of the swap file.
From the point of view of the security, this system is quite laking as the file can still be modified externally
(for example renamed) and the file name can still be read (possibly disclosing its content). On the other hand,
from the point of view of simplicity, this system is very easy to use, as the steps for encrypting a file are just
three: right-click on the file to encrypt. click on Advanced and then check Encrytpt contents to secure data.

4.3.3 Mac OS X - FileVault

Machintosh systems offer data protection for the whole home folder of the user; this is generally good, since
the user doen’t have to select which files to protect. However one of its main drawbacks is that solely the home
folder is protected, while the rest of the operating system is unprotected; so there is no Full Disk Encryption
support and preservation of the encryption of data on external devices is impossible.
The adopted algorithm is the Advanced Encryption Standard with a 128 bit key derived directly from the
users’ password; when the user is logged on the system, there is no need for insertion of a password, making this
solution very transparent. It is also possible to set up a master password for unlocking or restoring a FireVault
account, very usefult for recovery. The system implements a Virtual Disk Encyption method as it creates a
container of expandable dimensions, moves the contents of the home folder there, encrypts the container and
mounts it where the home folder was previously located.
This solution is easy to enable, in System Setting, click Security and then Activate FileVault. Latest versions
of this software were addressing the performance impact which has been drastically reduced over time. For
more information please consult [8].

4.4 Final Benchmarks

In order to understand the performance impact of the different solutions, several tests were run over the en-
crypted file systems; more precisely the time was recorded to perform the following operations:

1. write 1 file of dimension 1B, 1kB, 10kB, 100kB, 1MB, 10MB with sequences of 1 byte;

2. write 1 file of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 1024 bytes;

3. write 1 file of dimension 100kB, 1MB, 10MB, 100MB, 1GB, 4GB with blocks of 4096 bytes;

4. write 100 files of dimension 1B, 1kB, 10kB, 100kB, 1MB with sequences of 1 byte;

5. write 100 files of dimension 1kB, 10kB, 100kB, 1MB, 10MB, 100MB with blocks of 1024 bytes;

6. write 100 files of dimension 100kB, 1MB, 10MB, 100MB with blocks of 4096 bytes.
4.4 Final Benchmarks 14

The tests for Full Disk Encryption were run on a Windows XP machine, Intel Pentium 4 HT 3,8GHz with
2 GB of RAM, 10000rpm 40 GB SATA disk with NTFS.
The tests for Virtual Disk/Volume Encryption were run on a Ubuntu Linux 7.10 machine, Intel Core 2 Duo
2,8GHz with 2 GB of RAM, 7200rpm 10 GB SATA disk. The filesystem adopeted for the tests was FAT so to
mantain a layer of compatibility among the different solutions.

4.4.1 Volume Encryption

This test put in comparison the performance of physical volumes encrypted with TrueCrypt, BestCrypt and
cryptsetup with the performance of a plain filesystem (FAT). Here is the result of the tests (time expressed in
seconds), followed by some analysis:
XXX
XXX Software
vfat TrueCrypt BestCrypt cryptsetup
File size
XXX
XX
1B 0,016 0,015 0,015 0,015
1 kB 0,021 0,021 0,025 0,022
10 kB 0,76 0,075 0,074 0,068
100 kB 0,567 0,539 0,542 0,547
1 MB 5,389 5,478 5,291 5,359
10 MB 54,261 56,157 5,473 55,574

Table 4.1: Volume Encryption perfomance test #1 (one file from single bytes).

XXX
X XX Software vfat TrueCrypt BestCrypt cryptsetup
File size
XXX
XX
1 kB 0,015 0,015 0,014 0,016
10 kB 0,015 0,015 0,015 0,016
100 kB 0,02 0,016 0,016 0,018
1 MB 0,03 0,28 0,032 0,034
10 MB 0,131 0,135 0,136 0,137
100 MB 1,2 1,4 3,688 5,168
1 GB 19,005 41,96 53,253 77,42
4 GB 48,899 156,476 200,418 421,747

Table 4.2: Volume Encryption perfomance test #2 (one file from blocks of 1024 bytes).

XXX
X Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XX
XX
100 kB 0,028 0,026 0,015 0,017
1 MB 0,029 0,029 0,022 0,025
10 MB 0,101 0,088 0,104 0,093
100 MB 0,915 1,17 3,328 5,772
1 GB 32,044 39,585 39,592 133,961
4 GB 41,316 153,541 161,019 404,589

Table 4.3: Volume Encryption perfomance test #3 (one file from blocks of 4096 bytes).
4.4 Final Benchmarks 15

XXX
XXX Software
vfat TrueCrypt BestCrypt cryptsetup
File size
XXX
XX
1B 0,715 0,715 0,093 0,774
1 kB 1,354 1,559 1,683 1,324
10 kB 6,800 6,668 7,432 6,631
100 kB 55,231 54,039 55,318 60,418
1 MB 210,284 562,170 553,444 543,940

Table 4.4: Volume Encryption perfomance test #4 (multiple files from single bytes).
XXX
X Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XXX
X
1 kB 0,396 0,829 0,905 0,765
10 kB 0,398 0,731 1,019 0,831
100 kB 0,545 0,825 1,259 0,957
1 MB 2,485 3,090 5,492 5,757
10 MB 24,901 34,569 59,463 126,050
100 MB 158,549 694,73 452,373 1034,821

Table 4.5: Volume Encryption perfomance test #5 (multiple files from blocks of 1024 bytes).
XXX
X Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XX
XX
100 kB 0,892 0,873 0,959 0,991
1 MB 2,461 2,192 6,560 5,260
10 MB 14,417 37,550 62,043 60,748
100 MB 143,273 425,355 391,263 968,217

Table 4.6: Volume Encryption perfomance test #6 (multiple files from blocks of 4096 bytes).

Conclusions
From the data of above it is possible to notice that the greatest overhead is tangible when dealing with files
greater than 100 MB. Most of the the slowness is due to the old architecture of the targe file system (FAT), but
for small files there actually no sensible performance loss. Instead for large files (over the gigabyte) the write
time is as much as 10 times greater, but generally is only three or four time slower.
Overall, the analized software performed quite well, sometimes even performing better than the plain
filesystem, but every solution has problems with large files: cryptsetup is the wrost when dealing with large
files, but on the other hand it performs slightly better than others for small files, especially sequential ones;
TrueCrypt sustained perfectly all the tests for single files, but was outdo by BestCrypt for handling sequential
files; moreover BestCrypt incredibly enhances the performance of file system for files generated by single bytes
of considerable dimension (10MB) most likely thanks to heavy buffer usage.

4.4.2 Virtual Disk Encryption

This series of tests continues the analysis of presented programs (TrueCrypt, BestCrypt and cryptsetup) by
checking the virual container imlpementation. This time there is an unevitable perfomance loss, because con-
tainers reside on top of another file system and every opeation must go through a virtual device and then to a
physical one.
The file system of the target containers is always FAT, guaranteeing coherent tests among the different
software. In the following tables the first column describes again the perfomance of a standard FAT disk, in
order to fully understand the differnt behaviour.
4.4 Final Benchmarks 16

XX
XXX Software
XX vfat TrueCrypt BestCrypt cryptsetup
File size XXX
X
1B 0,016 0,019 0,009 0,015
1 kB 0,021 0,021 0,018 0,022
10 kB 0,076 0,074 0,070 0,069
100 kB 0,567 0,554 0,516 0,563
1 MB 5,389 5,610 5,359 5,229
10 MB 54,261 45,882 27,297 30,505

Table 4.7: Virtual Disk Encryption perfomance test #1 (one file from single bytes).
XXX
X Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XX
XX
1 kB 0,015 0,016 0,017 0,015
10 kB 0,015 0,016 0,016 0,017
100 kB 0,020 0,017 0,016 0,018
1 MB 0,030 0,034 0,031 0,028
10 MB 0,131 0,134 0,133 0,129
100 MB 1,200 4,541 5,354 9,605
1 GB 19,005 60,163 70,150 131,113
4 GB 48,999 256,588 286,357 504,603

Table 4.8: Virtual Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes).
XX
XX Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XXX
X
100 kB 0,026 0,016 0,017 0,015
1 MB 0,029 0,025 0,023 0,024
10 MB 0,101 0,096 0,099 0,131
100 MB 0,915 4,550 5,514 15,981
1 GB 32,044 54,415 66,656 122,605
4 GB 41,346 261,346 264,723 439,648

Table 4.9: Virtual Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes).
XXX
X Software
XXX vfat TrueCrypt BestCrypt cryptsetup
File size XX
XX
1B 0,715 0,886 1,071 0,888
1 kB 1,354 1,558 1,511 1,946
10 kB 6,800 7,154 7,226 8,078
100 kB 55,231 56,646 56,108 58,125
1 MB 210,284 559,804 559,919 571,746

Table 4.10: Virtual Disk Encryption perfomance test #4 (multiple files from single bytes).
4.4 Final Benchmarks 17

XXX
XXX Software
vfat TrueCrypt BestCrypt cryptsetup
File size
XXX
XX
1 kB 0,396 0,843 0,944 0,830
10 kB 0,398 0,805 0,892 0,902
100 kB 0,545 1,057 1,122 1,156
1 MB 2,485 8,366 9,030 13,320
10 MB 24,901 69,124 86,329 118,151
100 MB 158,549 694,730 702,611 2422,278

Table 4.11: Virtual Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes).
XXX
XXX Software
vfat TrueCrypt BestCrypt cryptsetup
File size
XX
XXX
100 kB 0,892 0,872 0,959 0,861
1 MB 2,461 7,871 6,560 11,762
10 MB 14,417 61,775 62,043 86,259
100 MB 143,273 681,704 699,120 1007,887

Table 4.12: Virtual Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes).

Conclusions
As stated before, the perfomance is heavily decreased even for small files, expecally sequences. The file size
threshold is again 100 MB, but this time the slowdown consists in 4 to 6 times for big files and up to 15 times
for sequential files with respect to a standard filesystem.
The charcteristics of the previous results are mantained: cryptsetup behaves better with small files but
is almost unusable with large ones, BestCrypt is fantastic for files generated by single bytes, and TrueCrypt
performs quite well in most cases.

4.4.3 Full Disk Encryption

Another feature of the described programs is that they can encrypt the drive where the operating system is
installed on, implementing a Full Disk Encyrption solution. The measures checked the performance impact at
system boostrap and under normal workload by running the tests of above (§4.4).
PP
PPSoftware
PP no encryption TrueCrypt BestCrypt
Test PPP
Boot time 32,670 38,014 37,017

Table 4.13: Full Disk Encryption boot time test.

XXX
XXX Software
NTFS TrueCrypt BestCrypt
File size
XXX
XX
1B 0,068 0,070 0,070
1 kB 0,111 0,110 0,110
10 kB 0,467 0,466 0,465
100 kB 4,028 4,107 4,047
1 MB 39,745 43,150 41,615

Table 4.14: Full Disk Encryption perfomance test #1 (one file from single bytes).
4.4 Final Benchmarks 18

XXX
XXX Software
NTFS TrueCrypt BestCrypt
File size
XXX
XX
1 kB 0,069 0,070 0,068
10 kB 0,068 0,071 0,069
100 kB 0,074 0,076 0,073
1 MB 0,115 0,120 0,116
10 MB 0,540 0,560 0,551
100 MB 6,113 7,630 7,239
1 GB 60,042 61,478 60,621
4 GB 302,336 293,174 281,187

Table 4.15: Full Disk Encryption perfomance test #2 (one file from blocks of 1024 bytes).
XXX
XX Software
XXX NTFS TrueCrypt BestCrypt
File size XXX
100 kB 0,070 0,068 0,068
1 MB 0,088 0,093 0,090
10 MB 0,296 0,422 0,302
100 MB 6,369 6,340 5,534
1 GB 49,240 76,514 78,760
4 GB 192,774 300,575 292,575

Table 4.16: Full Disk Encryption perfomance test #3 (one file from blocks of 4096 bytes).
XXX
XXX Software
NTFS TrueCrypt BestCrypt
File size
XXX
XX
1B 3,165 3,310 3,216
1kB 6,976 6,875 6,853
10kB 41,742 42,013 41,870
100kB 390,910 391,540 389,477

Table 4.17: Full Disk Encryption perfomance test #4 (multiple files from single bytes).

It was not possible to run the 1 MB files test due to the excessive metadata information stored in NTFS file systems when generating
files from single bytes.
XX
XXX Software
XX NTFS TrueCrypt BestCrypt
File size XXX
X
1kB 2,938 3,100 3,039
10kB 2,973 2,735 2,279
100kB 4,971 3,504 3,454
1MB 7,730 7,947 7,743
10MB 53,159 55,867 59,974
100MB 704,645 737,143 727,411

Table 4.18: Full Disk Encryption perfomance test #5 (multiple files from blocks of 1024 bytes).
4.4 Final Benchmarks 19

XXX
XXX Software
NTFS TrueCrypt BestCrypt
File size
XXX
XX
100kB 3,191 3,258 3,252
1MB 5,291 5,679 5,580
10MB 32,397 33,947 34,130
100MB 684,864 728,103 717,615

Table 4.19: Full Disk Encryption perfomance test #6 (multiple files from blocks of 4096 bytes).

Conclusions
It is possible to notice that the overall performance is not heavily chocked: small and big files don’t suffer at all
from encryption, even sequential file write is not harmed, while only extremely large files are actually lightly
jeopardized.
BestCrypt performed really well in the tests and the operations for setting up the encrypted system were very
basic. Moreover this software supports memory and swap encryption and suits well in dual boot environments,
as it installs a bootloader of its own. Protection is very well performed and in addition, if someone types a
wrong password at PBA it is reported that there has been an attempt to access the computer.
On the other hand TrueCrypt performed a little worse than BestCrypt and during the set up process incom-
patibilies are likely to happen: for example there is no support for dual boot environments and the swap file is
not encrypted. However it integrates well with operating system as it perform several checks over the hardware
before starting the process and forces the user to create a rescue disk containing information about the backed
up the master boot record.
Bibliography

[1] K. Scarfone, M. Souppaya, M. Sexton, Guide to Storage Encryption Technologies for End User Devices,
NIST Special Pubblication 800-111, 2007

[2] A.Silberschatz, P. B. Galvin, G. Gagne, Operating Systems, Chapter 10-11, Pearson Addison-Wesley, VII
Ed., 2006

[3] Wikipedia, the free encyclopedia, Loop device,

http://en.wikipedia.org/wiki/Loop device

[4] Wikipedia, the free encyclopedia, Full disk encryption,

http://en.wikipedia.org/wiki/Full disk encryption

[5] TrueCrypt, TrueCrypt Documentation,

http://www.truecrypt.com/docs

[6] Wikipedia, the free encyclopedia, Comparison of disk encryption software,

http://en.wikipedia.org/wiki/Comparison of disk encryption software

[7] Gentoo-Wiki, Security - System Encryption dm-crypt with LUKS,

http://gentoo-wiki.com/SECURITY System Encryption DM-Crypt with LUKS

[8] Mac OS X 10.4 Help, About FileVault

http://docs.info.apple.com/article.html?path=Mac/10.4/2n/mh1877.html

20
Appendix A

Test script

The tool for running the test was this simple shell script algon with the time utility:

#!/bin/bash

for ((i=0;i<$1;i++))
do
dd if=/dev/zero of=file.bin bs=$2 count=$3
done

The script requires three parameters: the first for the number of files to generate, the second for the block
size and the third for the final file size. During the tests the files generated were always deleted before timing,
so not to deal with overwriting times.
The program dd was used because it is very efficient for byte and block copy and /dev/zero was chosen
as source because it is faster than other (randomized) virtual devices.

21