In the last article we talked about Tripwire, which ensure the integrity of file system. In this article we extend the security from operating system and application files to one level further down. Disk encryption is a technique predominantly used in critical open source infrastructures. TrueCrypt is a utility widely used for this purpose.
We offer cyber security penetration testing and consultancy services to a variety of customers.
In the past, the security of data residing on the disks was seldom on priority. This lead to the fact, that the data was only securely stored and accessed as long as the disk was present in the system. Having a physical access to pull the hard disk out however could let the attacker gain complete access to the data. Attacker could simply plug the drive as a secondary volume in another system and access the file system. This problem was more serious for desktop machines, where the systems could be easily moved between locations, thus resulting into possible data leakages. This called for a way to encrypt the data in such a way, that even if the disks are moved away on to a different machine, the contents of the volume are protected, making those accessible only to the successfully authenticated owners. This required presence of a strong encryption system residing on the disk itself, with the necessary authentication services.
How TrueCrypt Works
TrueCrypt is a great open source tool which serves this purpose. It supports Windows, Mac platforms, and also supports almost all the Linux distros. Typically on Ubuntu and CentOS systems running in a business critical data center, TrueCrypt is widely used to encrypt the disk volumes, to keep data safe from physical theft by prying attackers. It works on the principle of "on the fly" encryption whereby the encryption and decryption operations are performed once the authentication key is provided, and the process takes place transparently to the user. To achieve this, the utility installs kernel level drivers (Linux) or device drivers (Windows) by hooking up with the disk management modules of operating system, thus acting as a catalyst between disk read/writes and the application layer.
This can also give TrueCrypt a capability of creating a single encrypted hidden volume inside an existing file system volume, for an elevated security. Since it can handle an entire mounted volume, it can be easily used to encrypt data on a USB pen drive too. As for the crypto processing, the utility does it so fast and seamlessly, that the user cannot know whether or not the disk data-writes are happening after encrypting it first. Usually such on-the-fly utilities demand of heavy memory and CPU usage, but that's not the case with TrueCrypt. It achieves this by making use of all CPUs and its core available on the system it is running on. It also uses a technique called as pipelining, whereby a portion of disk is read and decrypted in memory acting as a buffer, in anticipation that the application would want to fetch that data piece.
TrueCrypt uses a user entered password to encrypt the volume, and also allows selecting an algorithm for encryption. Accompanied table lists the algorithms supported and the typical usage of each.
AES (256bit key)
RIPEMD (160bit key)s
Serpent (256bit key)
SHA-512 (512bit key)
Twofish (256bit key)
Whirlpool (512bit key)
Besides the keys, on windows machines it also allows user to generate a random key by moving the mouse randomly. This key is fed to the encryption algorithm to further enhance its strength, thus introducing tighter data encryption security. It is important to note here, that there is no bypass or backdoor for the utility if the passphrase is forgotten. Due to the complex possible algorithms in use, it can practically take millions of years to crack an encrypted volume in such situations. It can also accept PKCS #11 protocol based devices such as smart-cards or secure-tokens. This also makes TrueCrypt a must-have utility for volumes carrying seriously critical corporate data.
This utility can be downloaded from sourceforge.net/projects/truecrypt/, or the latest available version from www.trucrypt.org. While installing on GUI based Ubuntu or similar distro, just unpack and double-click the binary archive to get it installed under Applications > Accessories > TrueCrypt.
Fig 1. shows a screen shot of TrueCrypt being installed on an Ubuntu distro. Upon running the utility, it gives you a choice to either create an encrypted container, or a protected volume within a partition or disk drive mount. The next step is to select encryption and hash algorithms, and the passphrases.
Fig 2. shows a sample screen of installation on windows platform. Depending on the system's hardware configuration, it may take a while for TrueCrypt to process the data. This time can be significantly large for high volume of data.
IT administrators are advised to try hands-on and gain expertise on the utility in a lab setup, prior to deploying it on their production infrastructure. This is because there is no mercy or trick to retrieve locked data if the pass-phrase is forgotten. The drive or mounted volume under TrueCrypt will be totally in-accessible under such situations. This also calls for tighter security mechanisms to store the key in a safe location. Since it performs encryption-decryption on the fly, the disk defragmentation occurs quite often, hence for better system performances, administrators are also advised to defrag the volumes periodically. TrueCrypt is found to be installed on business critical production systems including web servers, file servers, email servers etc, which makes it a standard utility for IT infrastructures where business data security is paramount.