Hacker News new | ask | show | jobs
by tptacek 4351 days ago
EcryptFS and Truecrypt are very different systems.

Truecrypt is simulated hardware encryption. It creates a virtual encrypted hard disk, which your operating system can more or less treat like an ordinary hard disk, but for the kernel hooks Truecrypt adds to lock and unlock the disk.

EcryptFS is an encrypted filesystem. Unlike Truecrypt, which encrypts individual disk blocks, systems like EcryptFS encrypt and decrypt whole files.

All else being equal, you'd prefer an encrypted filesystem to a simulated encrypted hard disk. Some of the reasons are technical: the crypto involved in encrypting a block device is crappier than the crypto involved in protecting a file (most notably, block crypto is typically not authenticated). But at a higher level, the reason is that you'd like your cryptosystem to have as much information to work with as possible, and one nice bit of information for it to have is where files begin and end.

All things are not equal though, and to select EcryptFS over Truecrypt, you also have to select EcryptFS's design and implementation over Truecrypt's. Truecrypt's design is simple and has been looked at more carefully than EcryptFS's. On the other hand, Truecrypt is an XTS cryptosystem, which isn't great. I would have a hard time making a recommendation between the two.

It's more important that you understand the limitations of transparent disk encryption. Unless you are pretty regularly telling your crypto software that it's OK to unlock a given file or disk or whatever, then it's probably "always on", and your keys are always resident in memory, and your files are more or less always exposed to malware. Malware is a much scarier threat (for most people) than police raids.

If you're interested: we work in a pretty high-risk environment (we handle a lot of hazmat). Our general crypto regime at Matasano is:

* Everyone uses Filevault2's native XTS disk encryption (along with some fiddly rules for what state your machine needs to be in if it's in your bag).

* Everyone uses OS X encrypted DMGs (I don't remember what the block crypto design for DMGs is, but you can check out John the Ripper if you're curious) to isolate different projects; we audit machines to make sure keys aren't in the keyring.

* Everyone uses PGP for email and to encrypt specific files.

If this sounds like a pain in the ass, be aware that this is pretty close to the minimum viable amount of security you can be providing a mobile device; if you're skipping one of these steps, you should know why.
6 comments
wyager 4351 days ago
>All else being equal, you'd prefer an encrypted filesystem to a simulated encrypted hard disk.

I disagree for these reasons:

1. This decreases composability. With encrypted filesystems, I can't mix and match filesystems and cryptosystems to suit my needs. There is no reason they need to be convolved.

2. This increases complexity. Now, the person writing the software has to be an expert in both filesystems and cryptosystems if they want to do a good job. There is more room for error. (You might say it violates the UNIX philosophy of "do one thing and do it well".)

3. This leaks information to an attacker. They know the layout of my files even without my password. I'm more comfortable with absolutely everything looking like a giant monolithic block of random data.

link
tptacek 4351 days ago
There's nothing I can say in response to this comment that I haven't already said upthread and here:

http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/

link
wyager 4350 days ago
Thanks for the link. Those are some very valid points.
link
tptacek 4350 days ago
Of course, there's some validity to the "composability" point, which is why we use both full-disk encryption and encryption at the filesystem layer. I don't think enabling full-disk encryption is a bad thing. Having full-disk encryption is what allows me not to panic if I leave my laptop in the unlocked back seat of my car; I don't have to worry about what state the filesystem was in, because the whole disk is locked.
link
pbsd 4351 days ago
Do you guys only use OS X over there, or are there equivalent setups for other systems?
link
tptacek 4351 days ago
The iSEC people use Windows and Linux, but I don't know what they use for encryption. Everyone at Matasano is on OS X.
link
atmosx 4351 days ago
What kind of encryption do you use at Matasano?

You use the build-in disk image encrypted volumes (AES-128/256 IIRC), or some proprietary software? Do you have a standard policy (e.g. FileVault) or no?

link
dchest 4350 days ago
See the bottom of the grand-grandparent comment https://news.ycombinator.com/item?id=8059218
link
atmosx 4349 days ago
thanks
link
hadoukenio 4350 days ago
That's a great explanation. Thanks for that. Now I'm curious about why it's so locked down at Matasano... what are the main threats to need full-disk encryption and then multiple encrypted containers per project?

I should have explained my reasoning for originally choosing ecryptfs. I find it really convenient doing a backup of ecryptfs' cipher-text. Since it's simple files, an rsync will do. If I wanted to backup virtual encrypted disks, I would first have to mount source and destination to do an rsync, or painstakingly do an entire dd without the mount... maybe I'm just doing it wrong?

link
wglb 4345 days ago
First protection is against laptop being stolen and the hazmat is exposed.

Separate vaults are useful if you have multiple clients, say, and you are doing pen tests. While you are working on one, the others are not unlocked.

link
objectivefs 4351 days ago
For laptops it might be easier to avoid storing any of your sensitive data to disk.

Use a non-local encrypted filesystem per project to get the isolation and to avoid your local storage. Mount the project filesystem when needed, unmount it when done, and when not in use it is simply inaccessible to the laptop.

While any encrypted filesystem not stored on your laptop would work for this, ours[1] makes this workflow very easy.

[1] https://objectivefs.com

link
ynniv 4350 days ago
block crypto is typically not authenticated

Is this simple oversight?

you'd like your cryptosystem to have as much information to work with as possible, and one nice bit of information for it to have is where files begin and end.

Doesn't this leak information? An attacker knows very little about an opaque block, but may be able to use file length and modification order to some advantage.

link
tptacek 4350 days ago
No, it's not simple oversight. Here's my best stab at an explanation:

http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/

Regarding information leakage: both schemes leak some degree of information (for reasons I get into in that post, XTS is deterministic). But because encrypted filesystems don't have to respect strict block boundaries, they can do a variety of things to limit or eliminate leakage. It's much harder for block device crypto to solve this problem.

Naive encrypted filesystems don't, of course. Like I said, I'd have a hard time making a recommendation between Truecrypt and EcryptFS.

link
ynniv 4350 days ago
Regarding authentication it only mentions performance and block failure. It seems that your company does use encrypted DMGs, so are these problem mitigated by having a larger encrypted unit size and reliable data storage?
link
tptacek 4350 days ago
Think about it. How do you authenticate a block device?

Do you:

(a) Authenticate the ciphertext of the whole device as a unit? So, any time you update any block on the entire disk, you also need to update the MAC tag? What happens if you do that? Any block corruption occurring anywhere on the device breaks the MAC tag for the entire disk.

(b) Authenticate each individual sector? Where do you store the MAC tags? There's an awful lot of sectors on a disk. Also: what does it mean to have a single corrupted sector in a file consisting of many sectors?

(c) ???

Of course, the answer is that full-disk encryption tools (ie simulated encrypted disks, like Truecrypt) don't authenticate. There's no good place to store the tags and no good units of data to authenticate.

What does it mean that encrypted disk sectors aren't authenticated? Well, it means two things:

(i) Attackers can perform targeted rewrites of data on the disk, typically at a full-sector level; in practice, this means that they can randomize any sector of the disk, and the encryption software can't know that the now-random data isn't real data, nor can the operating system. By aiming these random blocks at trusted metadata or executable binary code, attackers can potentially turn this ability into a much more serious attack.

(ii) Because the encryption software must trust the outcome of decryption, even when attackers tamper with data to make its output random, attackers gain the ability to feed chosen ciphertext into the encryption software. This sounds like an academic concern, but it's the basis for many of cryptosystem attack classes we've learned about in the past decade, most notably the padding oracles.

link
mhogomchungu 4350 days ago
>Authenticate each individual sector? Where do you store the MAC tags? There's an awful lot of sectors on a disk. Also: what does it mean to have a single corrupted sector in a file consisting of many sectors?

openbsd does this with their geli tool[1]. Look at the tool's documentation for the "-a" option.

The authentication stuff are stored on the sector itself. I remember looking at their implementation a while ago but cant seem to be able to dig up the documentation link at the moment.

[1] http://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8&manp...

link
Khaine 4350 days ago
Do you guys use anything to manage your encrypted DMGs (like knox https://agilebits.com/knox)?
link
daeken 4350 days ago
I can't speak to their current setup, but when I was there, pretty much everyone used Knox. Great app.
link