Encrypted File Systems
In one episode of “Miami Vice” Crockett and Tubbs have managed to gain access to a drug runner's computer, only to be stymied by its insistence on a password before presenting incriminating evidence. Not to worry—after only three unsuccessful guesses, the helpful computer offered to reveal the secret password to our heroes. It's easy to laugh at this plot development, but many otherwise intelligent people continue to do equally dumb things.
Consider the law office where legal papers are always kept in locked cabinets behind locked doors. Every computer on the LAN also has access to the “password-protected” word processing documents, but the encryption can be broken in seconds with readily available software. The name of this program, and the files it can crack, are in the sci.crypt FAQ. These files could be retrieved by a hostile agent “working” for a cleaning contractor.
Or consider the company with sales offices spread nationwide. Highly sensitive pricing and contact information is distributed on CD-ROM discs, which are discarded as soon as each new disc arrives. Alternately, a salesman may have his laptop stolen while on the road. (See Practical UNIX and Internet Security, Garfinkel and Spafford, O'Reilly and Associates, 1996.)
Or consider the individual computer owner who leaves his system in a shop for free installation of an upgrade. One of the employees quietly copies a few files, and by the time the victim learns of the extent of the identity theft it's too late—he's already recommended the same shop to several of his friends for the unusually good service.
For every complex problem there is an answer that is clear, simple and wrong. --H. L. Mencken
The simple solution to these problems is file encryption. But this solution is flawed for several reasons:
Encryption within programs is generally weak to the point of uselessness due to U.S. export regulations.
Encryption outside programs requires explicit actions to decrypt and to re-encrypt. This problem may be manageable if a file needs to be accessed only by a single user, but it's a much more difficult problem if several people need to share access.
Explicit encryption requires sharing the password, and the more people who have the password, the more likely it becomes that someone will jot it down in an obvious location.
Explicit encryption may enable a disgruntled employee to encrypt the files with a different password.
Decrypting a file increases the risk that unencrypted versions will remain on the disk or on backup media.
Our solution is to encrypt the entire file system. User programs see a regular file system—perhaps even a file system that natively supports encryption. An attacker who can only see the physical disk sees garble.
This approach is not perfect. Most notably, some implementations could leave decrypted data visible in the disk cache. That is a minor problem with the cache in core (if an attacker has compromised root, you have more serious problems), but a major problem if these pages get written to swap.
On the other hand, the kernel ensures that disk sectors are decrypted during reads and re-encrypted during writes. The impact on users is minimal. In one practical scenario, a “responsible individual” will mount the encrypted file system in the morning. (This requires the encryption key.) In the evening, the last person to leave could unmount the file system, or it could be automatically unmounted by a cron job.
Better the devil we know... --Anonymous
We've agreed on the desirability of encrypting file system. But which encryption algorithm should we use? The wrong choice will leave us with a false sense of security.
Writing our own encryption routines is one possibility. The downside is encryption algorithms are notoriously difficult to properly design and implement. The problem is that the designer does not know what others will find difficult. He only knows what he finds difficult. Mathematics is littered with the bodies of “difficult” problems which became trivial after one person had a flash of insight.
As a practical matter, we should limit our search to well-known encryption algorithms. This has the additional benefit of allowing us to share encrypted file systems with others with a minimum amount of hassle.