GBDE
Encyclopedia
GBDE, standing for GEOM Based Disk Encryption, is a block device-layer disk encryption
system written for FreeBSD
, initially introduced in version 5.0. It is based on the GEOM
disk framework. GBDE was designed and implemented by Poul-Henning Kamp
and Network Associates Inc. (now known as McAfee
).
s through the use of disk encryption-specific modes of operation (see disk encryption theory), but instead generates a random key
each time a sector
is written. Unlike some alternatives, such as CBC with sector-specific initialization vector
s, this approach does not reveal any information to the attacker even if they have access to snapshots of the disk image from different points in time, since encryption keys are never re-used.
The one time sector key is encrypted using a pseudorandom key. This pseudorandom key is derived from the sector number and a static 2048-bit master key with 128 bits of salt
. The pseudorandom number generator
used for this purpose is called the Cherry Picker. This is not a well established PRNG, but rather one invented for GBDE. This generator may not meet the security levels of standard algorithms, and could be distinguishable from random numbers.
. Using a different key for each write also introduces a significant CPU overhead, as most block cipher
s use key-specific precomputations, and makes disk updates non-atomic
since the keys are written separately from the data. As a result, data loss can occur on unexpected power drops, even when used with journaling file system
s. GBDE also has a disk space overhead
of about 3% to store the per-sector keys.
To address these shortcomings, a more typical disk encryption solution for FreeBSD, GELI
, was written later by Pawel Jakub Dawidek.
Disk encryption
Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...
system written for FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, initially introduced in version 5.0. It is based on the GEOM
GEOM
GEOM is the main storage framework for the FreeBSD operating system. It is available in FreeBSD 5.0 and higher and provides a standardized way to access storage layers. GEOM is modular and allows for geom modules to connect to the framework. For example, the geom_mirror module will provide RAID1 or...
disk framework. GBDE was designed and implemented by Poul-Henning Kamp
Poul-Henning Kamp
Poul-Henning Kamp is a Danish FreeBSD developer, responsible for implementation of the widely used MD5 password hash algorithm, a vast quantity of systems code, including the FreeBSD GEOM storage layer, GBDE cryptographic storage transform, part of the UFS2 file system implementation, FreeBSD...
and Network Associates Inc. (now known as McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
).
Design decisions
Unlike most disk encryption software, GBDE does not attempt to defeat watermarking attackWatermarking attack
In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption key.-Problem description:...
s through the use of disk encryption-specific modes of operation (see disk encryption theory), but instead generates a random key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
each time a sector
Disk sector
In computer disk storage, a sector is a subdivision of a track on a magnetic disk or optical disc. Each sector stores a fixed amount of user data. Traditional formatting of these storage media provides space for 512 bytes or 2048 bytes of user-accessible data per sector...
is written. Unlike some alternatives, such as CBC with sector-specific initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
s, this approach does not reveal any information to the attacker even if they have access to snapshots of the disk image from different points in time, since encryption keys are never re-used.
The one time sector key is encrypted using a pseudorandom key. This pseudorandom key is derived from the sector number and a static 2048-bit master key with 128 bits of salt
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
. The pseudorandom number generator
Pseudorandom number generator
A pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...
used for this purpose is called the Cherry Picker. This is not a well established PRNG, but rather one invented for GBDE. This generator may not meet the security levels of standard algorithms, and could be distinguishable from random numbers.
Limitations
Due to this unique approach, GBDE only supports 128-bit AESAdvanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
. Using a different key for each write also introduces a significant CPU overhead, as most block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s use key-specific precomputations, and makes disk updates non-atomic
Atomicity
In database systems, atomicity is one of the ACID transaction properties. In an atomic transaction, a series of database operations either all occur, or nothing occurs...
since the keys are written separately from the data. As a result, data loss can occur on unexpected power drops, even when used with journaling file system
Journaling file system
A journaling file system is a file system that keeps track of the changes that will be made in a journal before committing them to the main file system...
s. GBDE also has a disk space overhead
Computational overhead
In computer science, overhead is generally considered any combination of excess or indirect computation time, memory, bandwidth, or other resources that are required to attain a particular goal...
of about 3% to store the per-sector keys.
To address these shortcomings, a more typical disk encryption solution for FreeBSD, GELI
Geli (software)
geli is a block device-layer disk encryption system written for FreeBSD, introduced in version 6.0. It utilises the GEOM disk framework. It was designed and implemented by Pawel Jakub Dawidek.- Design details :...
, was written later by Pawel Jakub Dawidek.
See also
- GELIGeli (software)geli is a block device-layer disk encryption system written for FreeBSD, introduced in version 6.0. It utilises the GEOM disk framework. It was designed and implemented by Pawel Jakub Dawidek.- Design details :...
- Disk encryptionDisk encryptionDisk encryption is a special case of data at rest protection when the storage media is a sector-addressable device . This article presents cryptographic aspects of the problem...
- Disk encryption softwareDisk encryption softwareTo protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software that is used to implement the technique...
- Comparison of disk encryption softwareComparison of disk encryption software-Background information:-Operating systems:-Features:* Hidden containers: Whether hidden containers can be created for deniable encryption...