Linux for the Information Smuggler

The most common way to implement full-disk encryption (as opposed to encrypted file systems) in the GNU/Linux operating system is using the encrypted loop device, known as CryptoLoop. We demonstrate clear weaknesses in the current CBC-based implementation of CryptoLoop, perhaps the most surprising being a very simple attack which allows specially watermarked files to be identified on an encrypted hard disk without knowledge of the secret encryption key. We take a look into the practical problems of securely booting, authenticating, and keying full-disk encryption. We propose simple improvements to the current implementation. These are based on the notions of tweakable encryption algorithms and enciphering modes which have been proposed during last few years in cryptographic literature. We also explore the possibilities for sector-level disk authentication. The new methods have been implemented as a set of patches to the Linux Kernel series 2.6 and the relevant system tools.