Re: How does whole-disk encryption work?

Discussion in 'Computer Security' started by Regis, Jan 4, 2010.

  1. Regis

    Regis Guest

    Prof Wonmug <> writes:

    > In another thread, nemo suggested I consider "whole disk" encryption
    > with something like using truecrypt, bestcrypt, PGP wholedisk,
    > drivecrypt, free compusec, etc.
    >
    > I would like to understand how this works and what the disadvantages
    > are.
    >
    >
    > 1. I assume all of the above are software solutions, right? Does the
    > data on the disk remains encrypted? Does the encryption software
    > intercept the reads and writes to do the decryption and encryption on
    > the fly?
    >
    > 2. Is it transparent to all of the applications (Word, Excel, Outlook,
    > Explorer, etc.)?
    >
    > 3. Do I have a second password to enter? (One for logging into Windows
    > and one for the encrypted data?)
    >
    > 4. Does it affect system performance? How much?


    Yes on all counts. They're software solutions, transparent to
    individual applications, OS Performance hit varies on implementation,
    I imagine. I can offer my experience with PGP full disk encryption on
    a core2 solo (i.e. one active core) laptop you kinda noticed it, but
    not terribly. Then again, disk i/o intensive operation wasn't part of
    my workload on that machine.

    Various products also have a notion of volume/folder encryption
    whereby you have an encrypted file that windows mounts in a way that
    makes it look like a disk drive to the OS. As such, the apps don't
    care, as it is abstracted on the OS level. In addition to hooks in
    the OS, there's a bootloader component to full disk crypto too, but
    I'm ignorant of the details. You may or may not involve a 2nd
    password. PGP for instance can be configured to use Windows
    authentication for its full disk encryption in which case you are
    prompted for the windows password on bootup, but don't have to enter
    it into the usual windows login screen.

    The downsides of full disk crypto is that if the encrypted volume gets
    corrupted, you can have quite a headache on your hands where the usual
    methods of trying to pull data off a damaged drive have another layer
    of crypto on top, and it's a whole lot easier to lose your data if you
    aren't fastidious about backing up. And naturally, if you forget the
    password, you are quite screwed.

    I haven't done multiple OS's with full disk encryption, and I have a
    vague notion that there's enough OS dependency that you can't expect
    to boot multiple OS's if you have full disk encryption. Then again I
    know some of the list presented above are available for multiple
    platforms, and I'm ignorant to the particulars, but I believe that if
    you need to dual boot windows/*nix, you can use partition level
    encryption at best. I'm sure someone will set me straight if I'm
    wrong on that, though.
    Regis, Jan 4, 2010
    #1
    1. Advertising

  2. Regis

    Regis Guest

    Prof Wonmug <> writes:

    > I use Carbonite for backup. It does it continually. Would the files
    > that go to Carbonite for backup be encrypted or clear?


    If Carbonite stores to a volume or disk that is not encrypted, the
    backup would be unencrypted. If carbonite is backing up to a volume
    or disk that is under the management of the disk encryption product,
    the files would be encrypted.
    Regis, Jan 5, 2010
    #2
    1. Advertising

  3. Regis

    Regis Guest

    Prof Wonmug <> writes:

    > On Tue, 05 Jan 2010 10:26:38 -0600, Regis <> wrote:
    >
    >>Prof Wonmug <> writes:
    >>
    >>> I use Carbonite for backup. It does it continually. Would the files
    >>> that go to Carbonite for backup be encrypted or clear?

    >>
    >>If Carbonite stores to a volume or disk that is not encrypted, the
    >>backup would be unencrypted. If carbonite is backing up to a volume
    >>or disk that is under the management of the disk encryption product,
    >>the files would be encrypted.

    >
    > Carbonite backs up over the Internet to their server. I'm wondering if
    > the type of reads they use access the data before or after decryption.


    Almost certainly after encryption, therefore, what's backed up on
    carbonite's server is your original unecnrypted file (assumably
    encrypted using whatever encryption their client uses when sending
    it).

    Remember, full disk encryption is transparent to apps, to assuming
    carbonite has a software client that runs on your machine, carbonite
    will make some api call to read a file from teh OS, the full disk
    encryption software is shimmed into the operating system making that
    call look very normal to carbonite's client, the os reads the
    encrypted stuff off the disk, the full disk encryption software's shim
    decrypts it, hands it off to the carbonite client unencrypted, whereby
    I imagine carbonite's client re-encrypts it in whatever way carbonite
    uses, then sends it off to carbonites server.

    In short, Carbonite will behave exactly as it does on a system without
    full disk encryption.
    Regis, Jan 6, 2010
    #3
  4. Regis

    Regis Guest

    Regis <> writes:

    > Prof Wonmug <> writes:
    >
    >> On Tue, 05 Jan 2010 10:26:38 -0600, Regis <> wrote:
    >>
    >>>Prof Wonmug <> writes:
    >>>
    >>>> I use Carbonite for backup. It does it continually. Would the files
    >>>> that go to Carbonite for backup be encrypted or clear?
    >>>
    >>>If Carbonite stores to a volume or disk that is not encrypted, the
    >>>backup would be unencrypted. If carbonite is backing up to a volume
    >>>or disk that is under the management of the disk encryption product,
    >>>the files would be encrypted.

    >>
    >> Carbonite backs up over the Internet to their server. I'm wondering if
    >> the type of reads they use access the data before or after decryption.

    >
    > Almost certainly after encryption,


    doh. s/encryption/decryption/ Sorry for the possibly confusing
    typo.

    > therefore, what's backed up on
    > carbonite's server is your original unecnrypted file (assumably
    > encrypted using whatever encryption their client uses when sending
    > it).
    >
    > Remember, full disk encryption is transparent to apps, to assuming
    > carbonite has a software client that runs on your machine, carbonite
    > will make some api call to read a file from teh OS, the full disk
    > encryption software is shimmed into the operating system making that
    > call look very normal to carbonite's client, the os reads the
    > encrypted stuff off the disk, the full disk encryption software's shim
    > decrypts it, hands it off to the carbonite client unencrypted, whereby
    > I imagine carbonite's client re-encrypts it in whatever way carbonite
    > uses, then sends it off to carbonites server.
    >
    > In short, Carbonite will behave exactly as it does on a system without
    > full disk encryption.
    >
    >
    >


    --
    Regis, Jan 6, 2010
    #4
  5. Regis

    Regis Guest

    Prof Wonmug <> writes:

    >>> In short, Carbonite will behave exactly as it does on a system without
    >>> full disk encryption.

    >
    > On the other hand, if I encrypt individual folders or files, then
    > Carbonite would see them in their encrypted form?


    Heh. We may be running in circles.

    But I *think* I can answer yes, provided you mean "If I individually
    encrypt indivudual files/folders with gpg, or an encrypted zip
    program, or whatever, that file will look to carbonite as encrypted
    (in the format you specifically encrypted that individual file or
    folder) regardless of whether you're running full disk encryption or
    not."

    Full disk encryption being implmented or not won't change how
    Carbonite or any other program running on that operating system sees
    the files.
    Regis, Jan 8, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ayosha

    Whole disk encryption advice needed

    ayosha, Aug 29, 2003, in forum: Computer Security
    Replies:
    1
    Views:
    627
    John Veldhuis
    Sep 2, 2003
  2. Peter L

    Whole Hard Disk Encryption?

    Peter L, Apr 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    1,744
    Doctor Who
    May 9, 2004
  3. nemo_outis

    Re: How does whole-disk encryption work?

    nemo_outis, Jan 4, 2010, in forum: Computer Security
    Replies:
    1
    Views:
    1,944
    nemo_outis
    Jan 5, 2010
  4. Frank Merlott

    Re: How does whole-disk encryption work?

    Frank Merlott, Jan 5, 2010, in forum: Computer Security
    Replies:
    2
    Views:
    1,425
    ♥Ari♥
    Jan 6, 2010
  5. noauth

    Re: How does whole-disk encryption work?

    noauth, Feb 4, 2010, in forum: Computer Security
    Replies:
    0
    Views:
    1,707
    noauth
    Feb 4, 2010
Loading...

Share This Page