[Cryptography] encrypting hard drives (was Re: Shredding a file on a flash-based file system?)

Perry E. Metzger perry at piermont.com
Thu Jun 19 16:09:12 EDT 2014 

On Thu, 19 Jun 2014 12:52:47 -0700 Bear <bear at sonic.net> wrote:
> On Thu, 2014-06-19 at 13:48 -0400, Perry E. Metzger wrote:
> >  I must say I do *not*
> > trust hard drives with built in encryption, because there is no
> > way to test that they are working correctly.
> 
> I have never understood the threat model that these drives 
> supposedly protect against.

I think the rationale was basically performance based -- that you
could avoid needing to load the processor with crypto duties,
especially on a box with lots of drives.

However, it clearly is a horrible security model, especially since
manufacturers like Seagate refuse to allow you to access the
ciphertext on drive to assure yourself that all is encrypted in the
manner claimed. Even if they did allow that, the hard drive's
internal controller is yet another independently operating
microprocessor with firmware that could have been sabotaged by a bad
guy.

If performance is really an issue, I think the real solution is to
put an AES accelerator into the on-motherboard side of the disk
controller, and have it completely under the control of the main
CPU's operating system. Treat the hard drive as hostile, never send
it any keying material and never send it any unencrypted data, and
then you don't have to worry about who may have tampered with its
firmware.

(Yes, you still have to worry about your motherboard, but narrowing
the number of things you trust is the only way to make audits
tractable.)

> Of course, even if something that acts like that appears, 
> which is unlikely, it will be a fake. Various agencies simply 
> will not allow manufacturers to make a system that crooks 
> cannot break into.

I think you're being overly pessimistic. Just because certain
manufacturers have bought the "help" that various agencies are giving
out without questioning it sufficiently does not mean manufacturing
good designs is actually impossible.

Perry
-- 
Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list