Presentation is loading. Please wait.

Presentation is loading. Please wait.

Whole Disk Encryption Encrypting drives under Windows, Linux, and MacOSX By: The Doctor [412/724/301/703] [ZS|Media] drwho@virtadpt.net https://drwho.virtadpt.net/

Published byPreston Fox Modified over 7 years ago

Similar presentations

Presentation on theme: "Whole Disk Encryption Encrypting drives under Windows, Linux, and MacOSX By: The Doctor [412/724/301/703] [ZS|Media] drwho@virtadpt.net https://drwho.virtadpt.net/"— Presentation transcript:

1 Whole Disk Encryption Encrypting drives under Windows, Linux, and MacOSX By: The Doctor [412/724/301/703] [ZS|Media] PGP key ID: 0x807B17C1 PGP fingerprint: CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 By: Punkbob (MacOSX stuff) By: Other folks at the DC #cryptoparty License: CC BY-NC-SA v3.0 V1.0

2 What is it? Encrypting all the data on the drive Hard drive
Removable media Data never hits the drive unencrypted Protects data at rest, i.e., when it's offline Protects some data in motion, i.e., if you don't specifically unlock it If you encrypt the OS, you have to unlock it

3 What do people do with it?
Encrypt the system drive to protect everything Requires a passphrase to boot Encrypt a partition to protect some data Requires a passphrase to access but not boot Encrypt removable drives in case they get lost or are stolen No passphrase == no access

4 Options for Windows, I TrueCrypt (https://truecrypt.org/)
Open source, cross-platform (kind of) Can create encrypted volumes that look like big files full of noise Can encrypt hard drives without having to reinstall the OS or data Takes time to complete Will require a passphrase on boot Can create hidden volumes inside of encrypted volumes Deniable If second passphrase not given, volume can potentially be destroyed

5 Options for Windows, I.5 Truecrypt (cont'd)
Can create a hidden volume with a copy of your existing OS Work with less secure stuff in the primary Work with more secure stuff in the secondary Helps mitigate data leakage through temp and swap files Not protecting hidden volume with both passphrase can result in corruption of the hidden volume

6 Options for Windows, II Symantec PGP Desktop
Includes a disk encryption component Requires a passphrase to boot Commercial software Can be centrally managed Multiple keys can access drives Have to trust that there are no backdoors

7 Options for Linux, I LUKS (Linux Unified Key Setup)
Built into the kernel Any file system can be created inside of a LUKS volume (FAT ReiserFS4) Multiple passphrases on the same volume Keyfiles can also be used to unlock volumes Many distros support installing to LUKS volumes Passphrase or keyfile on boot Volumes can be created on any storage media Retrofitting requires backing up and restoring everything or setting up on first install

8 Distributions that support installing to LUKS volumes
Debian/Ubuntu (alternate install disks) Redhat/derivatives Slackware (takes a little work) ftp://ftp.slackware.com/pub/slackware/slackware- current/README_CRYPT.TXT Arch Linux (takes a little work) S Gentoo (takes work)

9 Options for Linux, II EncFS – Encrypted file system in userspace
Sits on top of existing file system Files (and filenames) are encrypted Attempting to manipulate them without accessing will corrupt them Requires no elevated privileges Supported by many distros Ubuntu will ask you to set it up when an account created Can be retrofitted without much trouble Does not protect the rest of your system

10 Options for MacOSX, I Filevault Built into OSX
Introduced with Panther (10.3) Up to 10.6 (Snow Leopard), will encrypt home directory (works like Linux's EncFS) From 10.7 (Lion), can encrypt entire drive (Filevault 2) (works like TrueCrypt) Security history is dodgy VileFault is capable of cracking v1 and v2 Early versions store passphrase in system keychain, where it can be extracted Filevault 1 is vulnerable to keyloggers

11 FileVault, cont'd If your local account can be reset from your Apple ID, Apple can theoretically be coerced or tricked into doing so, which also exposes your encrypted drive (Mountain Lion) You can store your decryption key with Apple, which puts it into someone else's hands. Also, answers to authentication questions can be Googled, social engineered, or inferred Howto:

12 Options for MacOSX, II Symantec PGP Desktop for OSX
Haven't used it, don't know how well it works Good luck.

13 FileVault Warnings If you use it to encrypt your hard drive and you then upgrade OSX to the next release, your system is wrecked You'll have to reinstall everything Decrypt your hard drive before upgrading to the next major release

14 Setting up Truecrypt Download Check the cryptographic signature!
Run the installer Start TrueCrypt System → Encrypt System Partition/Drive Follow the instructions in the wizard It'll ask you to create a rescue disk Burn the .iso image to CD and put it away You can also decrypt a drive this way

15 TrueCrypt Warnings If you upgrade major system components (mainboard, CPU) generate a new rescue disk Rescue disks are unique to that system's hardware configuration Pre-upgrade rescue disks won't work and you'll have to rebuild your system

16 Risks Putting laptops in sleep mode means the data is still accessible – don't do this! Shut your machine down when not in use! Presence of encrypted media is inherently suspicious “What do you have to hide...?” Some agencies train their personnel to assume that hidden volumes are present if they see a copy of TrueCrypt Swap space is often not encrypted If you can encrypt swap space, do so

17 Risks, cont'd Evil Maid attack
Attacker accesses your shut down machine Attacker installs a hacked boot loader Hacked boot loader captures your passphrase or decrypted volume key TPM doesn't help – Evil Maid attack has already been implemented for this Physically lock your machine up somehow Boot from removable media that you trust more USB key that you carry on your person

18 Special Thanks Punkbob for helping me with the MacOSX stuff
Everybody at the DC #cryptoparty who filled in stuff I forgot

19 I know I forgot some stuff...
Here I throw the floor open for discussion... Comments? Questions? Anything we missed?

Download ppt "Whole Disk Encryption Encrypting drives under Windows, Linux, and MacOSX By: The Doctor [412/724/301/703] [ZS|Media] drwho@virtadpt.net https://drwho.virtadpt.net/"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Systems Software System Software Enables the applications software to interact with the computer and Helps the computer manage its internal and external.

Systems Software System Software Enables the applications software to interact with the computer and Helps the computer manage its internal and external.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Leveraging WinPE and Linux Preboot for Effective Provisioning Jonathan Richey | Director of Development | Altiris, Inc.

Leveraging WinPE and Linux Preboot for Effective Provisioning Jonathan Richey | Director of Development | Altiris, Inc.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 9 A Installing Linux. Synopsis What is needed. How to access the BIOS and boot a CD/DVD. How to repartition the hard drive. The Linux installation.

Chapter 9 A Installing Linux. Synopsis What is needed. How to access the BIOS and boot a CD/DVD. How to repartition the hard drive. The Linux installation.
Data Encryption Overview South Seas Corporation Jared Owensby.

Data Encryption Overview South Seas Corporation Jared Owensby.
Linux Installation Chapter II. Linux Distributions Pre-packaged, installable Linux Anyone can compile a distribution, have to inculde GPL Available for.

Linux Installation Chapter II. Linux Distributions Pre-packaged, installable Linux Anyone can compile a distribution, have to inculde GPL Available for.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Installation Ubuntu for Libraries. Step 1: Download Head on to Pick Ubuntu 13.04 LTS; just click the big orange.

Installation Ubuntu for Libraries. Step 1: Download Head on to Pick Ubuntu LTS; just click the big orange.
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
KEEP YOUR COMPUTE SAFE AND HOW TO FIX IT 1. OBJECTIVE Keep your computer safe. -Not about spam, phishing or browser hijacks Designed for the non-geek.

KEEP YOUR COMPUTE SAFE AND HOW TO FIX IT 1. OBJECTIVE Keep your computer safe. -Not about spam, phishing or browser hijacks Designed for the non-geek.
Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.

Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.
Chapter 7 Installing and Using Windows XP Professional.

Chapter 7 Installing and Using Windows XP Professional.
Presented to: Sir Ahmad Karim

Presented to: Sir Ahmad Karim
Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.

Mac OS Lion Memory Forensics Using IEEE 1394 to Bypass FileVault 2 Full Volume Encryption. Todd Garrison September 18, 2011.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

ITE 1 Chapter 5. Chapter 5 is a Large Chapter It has a great deal of useful information about operating systems. You will find this VERY helpful when.

Similar presentations

Ads by Google