computer science crazy
Guest
A Device Mapper based Encryption Layer for TransCrypt
Data security has come to be of utmost importance in the recent times. Several encrypting file systems have been designed to solve the problem of providing data security in a secure and transparent manner. TransCrypt is such an encrypting file system, which is implemented in kernel space, has an advanced key management scheme and is designed to be deployable in an enterprise scenario. It uses per-file cryptographic keys for flexible sharing and does not include even the superuser in its trust model.
Earlier, TransCrypt was implemented on the Linux kernel (version 2.6). In the implementation, several modifications were made to the existing kernel to embed the TransCrypt functionality. Such modifications also changed the file I/O behaviour in the kernel, in order to add a cryptographic layer to perform encryption and decryption on the file data. The kernel thus modified had several limitations with respect to functionality, maintainability and performance.
In this thesis, we propose a new cryptographic layer for the TransCrypt file system. This layer is implemented as a kernel module and does not modify any existing kernel code. The module uses the device-mapper infrastructure provided by the Linux kernel. The new layer addresses several limitations of the earlier implementation, and is robust and stable. Performance gains of over 90 percent were observed in read and write operations on large files with the new implementation. The design and implementation details of the new cryptographic layer and performance measurements are discussed in this work.
Posts: 2,051
Threads: 1,405
Joined: Jun 2011
[attachment=15208]
1.1 Motivation
In the recent times, data storage has become increasingly common and more aord-
able. Archiving important data on storage mediums like USB disks and le servers
is a very common usage scenario among desktop and corporate users. Data security
is therefore of utmost importance, especially against data thefts, which impose risks
of losing signicant personal and organisational data [1, 2]. There is an acute need
for a storage solution which uses strong cryptographic methods to protect data.
An encrypting le system provides the much needed solution to the problem
of data protection. There are several encrypting le systems (see section 1.2) which
provide security by encrypting and decrypting data transparent to a user. Although
the dierent encrypting le systems address the problem of data security in dierent
ways, a combination of features such as per-le encryption,
exible key-sharing and
exclusion of superuser from the trust model makes the le system more secure and
customizable. TransCrypt [3] le system was created on the basis of these features to
provide a very strong solution to the problem of securing data in a user transparent
manner.
TransCrypt is an enterprise-class, kernel-space encrypting le system for the
Linux [4] operating system, which incorporates an advanced key management scheme
to provide a high grade of security, while remaining transparent and easily usable.
The initial implementation of TransCrypt [5, 6] was carried out as modications
to the ext3 [7] le system on Linux. Userspace packages specic to the ext3 le
system were also modied. The Linux kernel code undergoes changes periodically
as new features and bug xes are added to subsequent releases. Since a signicant
part of the TransCrypt le system includes modications to existing Linux kernel
code, changes to the code need to be tracked and updated for every kernel upgrade.
Dependency due to modications to the existing kernel code implies a constraint on
the usage of TransCrypt over only the ext3 le system. The need was felt for a
improved TransCrypt le system which is independent of the modications to the
underlying native le system code. This had the potential to exploit the advantages
of various other underlying le systems.
Desirable characteristics of an encrypting le system include performance and
ease of use, apart from a high grade of security. If a user perceives the read and write
operations to be slow on a TransCrypt le system compared to that on a normal
lesystem, then a potential wide scale deployment of the encrypted lesystem would
be hard to implement. The earlier implementation of TransCrypt was based on the
modications in the le I/O functionality in the kernel. It had several performace and
maintenance related limitations. A need was felt to improve on the performance of
TransCrypt le system, as well as to improve maintainability