The most common way to implement full-disk encryption (as opposed to encrypted file systems) in the GNU/Linux operating system is using the encrypted loop device, known as CryptoLoop. We demonstrate clear weaknesses in the current CBC-based implementation of CryptoLoop, perhaps the most surprising being a very simple attack which allows specially watermarked files to be identified on an encrypted hard disk without knowledge of the secret encryption key.We take a look into the practical problems of securely booting, authenticating, and keying full-disk encryption. We propose simple improvements to the current CryptoLoop implementation based on the notions of tweakable encryption algorithms and enciphering modes. We also discuss sector-level authentication codes.
展开▼