Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device (e.g., a hard disk). This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.
Disk encryption methods aim to provide three distinct properties:
The first property requires defining an adversary from whom the data is being kept confidential. The strongest adversaries studied in the field of disk encryption have these abilities:
A method provides good confidentiality if the only information such an adversary can determine over time is whether the data in a sector has or has not changed since the last time they looked.
The second property requires dividing the disk into several sectors, usually 512 bytes (bits) long, which are encrypted and decrypted independently of each other. In turn, if the data is to stay confidential, the encryption method must be tweakable; no two sectors should be processed in exactly the same way. Otherwise, the adversary could decrypt any sector of the disk by copying it to an unused sector of the disk and requesting its decryption. Whereas a purpose of a usual block cipher
EK
K
T | |
E | |
K |
K
T
The third property is generally non-controversial. However, it indirectly prohibits the use of stream ciphers, since stream ciphers require, for their security, that the same initial state not be used twice (which would be the case if a sector is updated with different data); thus this would require an encryption method to store separate initial states for every sector on disk—seemingly a waste of space. The alternative, a block cipher, is limited to a certain block size (usually 128 or 256 bits). Because of this, disk encryption chiefly studies chaining modes, which expand the encryption block length to cover a whole disk sector. The considerations already listed make several well-known chaining modes unsuitable: ECB mode, which cannot be tweaked, and modes that turn block ciphers into stream ciphers, such as the CTR mode.
These three properties do not provide any assurance of disk integrity; that is, they don't tell you whether an adversary has been modifying your ciphertext. In part, this is because an absolute assurance of disk integrity is impossible: no matter what, an adversary could always revert the entire disk to a prior state, circumventing any such checks. If some non-absolute level of disk integrity is desired, it can be achieved within the encrypted disk on a file-by-file basis using message authentication codes.
Disk encryption methods are also distinguished into "narrow-block" and "wide-block" methods. For a sector-sized plaintext, narrow-block method encrypts it in multiple blocks, while a wide-block methods does it in just one. Narrow-block methods such as LRW, XES, and XTS allow an attacker to exploit the block granularity to perform traffic analysis and replay. A wide-block cipher ideally makes the entire ciphertext unrecognizable for a change anywhere in the plaintext.[1]
Like most encryption schemes, block cipher-based disk encryption makes use of modes of operation, which allow encrypting larger amounts of data than the ciphers' block-size (typically 128 bits). Modes are therefore rules on how to repeatedly apply the ciphers' single-block operations.
Cipher-block chaining (CBC) is a common chaining mode in which the previous block's ciphertext is xored with the current block's plaintext before encryption:
Ci=EK(Ci-1 ⊕ Pi).
Since there isn't a "previous block's ciphertext" for the first block, an initialization vector (IV) must be used as
C-1
CBC suffers from some problems. For example, if the IVs are predictable, then an adversary may leave a "watermark" on the disk, i.e., store a specially created file or combination of files identifiable even after encryption. The exact method of constructing the watermark depends on the exact function providing the IVs, but the general recipe is to create two encrypted sectors with identical first blocks
b1
b2
b1 ⊕ IV1=b2 ⊕ IV2
b1
b2
To protect against the watermarking attack, a cipher or a hash function is used to generate the IVs from the key and the current sector number, so that an adversary cannot predict the IVs. In particular, the ESSIV approach uses a block cipher in CTR mode to generate the IVs.
ESSIV[2] is a method for generating initialization vectors for block encryption to use in disk encryption. The usual methods for generating IVs are predictable sequences of numbers based on, for example, time stamp or sector number, and permit certain attacks such as a watermarking attack. ESSIV prevents such attacks by generating IVs from a combination of the sector number SN with the hash of the key. It is the combination with the key in form of a hash that makes the IV unpredictable.
IV(rm{SN})=Es(SN), where s=hash(K).
ESSIV was designed by Clemens Fruhwirth and has been integrated into the Linux kernel since version 2.6.10, though a similar scheme has been used to generate IVs for OpenBSD's swap encryption since 2000.[3]
ESSIV is supported as an option by the dm-crypt[4] and FreeOTFE disk encryption systems.
While CBC (with or without ESSIV) ensures confidentiality, it does not ensure integrity of the encrypted data. If the plaintext is known to the adversary, it is possible to change every second plaintext block to a value chosen by the attacker, while the blocks in between are changed to random values. This can be used for practical attacks on disk encryption in CBC or CBC-ESSIV mode.[5]
The tweakable narrow-block encryption (LRW)[6] is an instantiation of the mode of operations introduced by Liskov, Rivest, and Wagner[7] (see Theorem 2). This mode uses two keys:
K
F
K
F
P
I
\begin{align} X&=F ⊗ I,\\ C&=EK(P ⊕ X) ⊕ X. \end{align}
Here multiplication
⊗
⊕
GF\left(2128\right)
F ⊗ I=F ⊗ (I0 ⊕ \delta)=F ⊗ I0 ⊕ F ⊗ \delta
F ⊗ \delta
\delta
Some security concerns exist with LRW, and this mode of operation has now been replaced by XTS.
LRW is employed by BestCrypt and supported as an option for dm-crypt and FreeOTFE disk encryption systems.
See main article: Xor–encrypt–xor. Another tweakable encryption mode, XEX (xor–encrypt–xor), was designed by Rogaway to allow efficient processing of consecutive blocks (with respect to the cipher used) within one data unit (e.g., a disk sector). The tweak is represented as a combination of the sector address and index of the block within the sector (the original XEX mode proposed by Rogaway allows several indices). The ciphertext,
C
\begin{align} X&=EK(I) ⊗ \alphaj,\\ C&=EK(P ⊕ X) ⊕ X, \end{align}
where:
P
I
\alpha
GF(2128)
x
j
j\geq1
j\geq0
The basic operations of the LRW mode (AES cipher and Galois field multiplication) are the same as the ones used in the Galois/Counter Mode (GCM), thus permitting a compact implementation of the universal LRW/XEX/GCM hardware.
The original XEX has a weakness.[8]
Ciphertext stealing provides support for sectors with size not divisible by block size, for example, 520-byte sectors and 16-byte blocks. XTS-AES was standardized on December 19, 2007[9] as IEEE P1619.[10] The XTS standard requires using a different key for the IV encryption than for the block encryption; this differs from XEX which uses only a single key.[11] [12] As a result, users wanting AES-256 and AES-128 encryption must supply 512 bits and 256 bits of key respectively. The two keys (i.e., both halves of the XTS key) must be distinct for XTS to be CCA-secure, since XTS computes the sequence
\alphaj
j=0
j=1
On January 27, 2010, NIST released Special Publication (SP) 800-38E[13] in final form. SP 800-38E is a recommendation for the XTS-AES mode of operation, as standardized by IEEE Std 1619-2007, for cryptographic modules. The publication approves the XTS-AES mode of the AES algorithm by reference to the IEEE Std 1619-2007, subject to one additional requirement, which limits the maximum size of each encrypted data unit (typically a sector or disk block) to 220 AES blocks. According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than the other approved confidentiality-only modes against unauthorized manipulation of the encrypted data."
XTS is supported by BestCrypt, Botan, NetBSD's cgd,[14] dm-crypt, FreeOTFE, TrueCrypt, VeraCrypt,[15] DiskCryptor, FreeBSD's geli, OpenBSD softraid disk encryption software, OpenSSL, Mac OS X Lion's FileVault 2, Windows 10's BitLocker[16] and wolfCrypt.
XTS mode is susceptible to data manipulation and tampering, and applications must employ measures to detect modifications of data if manipulation and tampering is a concern: "...since there are no authentication tags then any ciphertext (original or modified by attacker) will be decrypted as some plaintext and there is no built-in mechanism to detect alterations. The best that can be done is to ensure that any alteration of the ciphertext will completely randomize the plaintext, and rely on the application that uses this transform to include sufficient redundancy in its plaintext to detect and discard such random plaintexts." This would require maintaining checksums for all data and metadata on disk, as done in ZFS or Btrfs. However, in commonly used file systems such as ext4 and NTFS only metadata is protected against tampering, while the detection of data tampering is non-existent.
The mode is susceptible to traffic analysis, replay and randomization attacks on sectors and 16-byte blocks. As a given sector is rewritten, attackers can collect fine-grained (16 byte) ciphertexts, which can be used for analysis or replay attacks (at a 16-byte granularity). It would be possible to define sector-wide block ciphers, unfortunately with degraded performance (see below).[17]
CMC and EME protect even against the minor leak mentioned above for LRW. Unfortunately, the price is a twofold degradation of performance: each block must be encrypted twice; many consider this to be too high a cost, since the same leak on a sector level is unavoidable anyway.
CMC, introduced by Halevi and Rogaway, stands for CBC–mask–CBC: the whole sector encrypted in CBC mode (with
C-1=EA(I)
2(C'0 ⊕ C'k-1)
P0
In order to solve this problem, Halevi and Rogaway introduced a parallelizable variant called EME (ECB–mask–ECB). It works in the following way:
L=EK(0)
P'i=EK(Pi ⊕ 2iL)
MC=EK(MP)
i=1,\ldots,k-1
Ci=EK(C'i) ⊕ 2iL
i=0,\ldots,k-1
K
CMC and EME were considered for standardization by SISWG. EME is patented, and so is not favored to be a primary supported mode.[18]
HCTR (2005) is mode of operation for block ciphers that is length-preserving, wide-block, and tweakable.[19] It, however, has a bug in the specification and another in its security proof, rendering its claimed security level invalid. HCTR2 (2021) is a variant that fixes these issues and improves on security, performance, and flexibility.[20] HCTR2 is available in the Linux kernel since version 6.0.
HCTR and HCTR2 uses a custom block cipher mode of operation called XCTR; AES-128-XCTR is usually used for HCTR2. HCTR2 uses a polynomial hash function called POLYVAL. HCTR2 is efficient on modern processors with an AES instructions and carry-less multiplication instructions.[20]
The HBSH (hash, block cipher, stream cipher, hash) construction, published by Google employees in 2018, allow a fast stream cipher to be used in disk encryption. The Adiantum scheme used in low-end Android devices specifically chooses NH, 256-bit Advanced Encryption Standard (AES-256), ChaCha12, and Poly1305. The construction is tweakable and wide-block. It requires three passes over the data, but it still faster than AES-128-XTS on a ARM Cortex-A7 (which has no AES instruction set).[21] It is available in Linux kernel since version 5.0.
In 2023, Aldo Gunsing, Joan Daemen and Bart Mennink presented the "double-decker" construction, which also uses a stream cipher. It is again tweakable and wide-block.[1]
While the authenticated encryption scheme IAPM provides encryption as well as an authentication tag, the encryption component of the IAPM mode completely describes the LRW and XEX schemes above, and hence XTS without the ciphertext stealing aspect. This is described in detail in Figures 8 and 5 of the US patent 6,963,976.[22]