📜 Post with us on Reddit
📝 Create a new article
🏭 Create a company page
🇬🇧 - in English
🇫🇷 - en Français (FR)
🇵🇹 - em Português (PT)
🇩🇪 - auf Deutsch (DE)
🇯🇵 - 日本語で (JA)
Sponsored articles

You can edit almost every page by Creating an account and confirming your email.

Encryption layer in storage stack

From EverybodyWiki Bios & Wiki


There is a plurality of terms used to describe implementations of disk encryption: on-the-fly encryption (OTFE); full disk encryption (FDE), whole disk encryption; filesystem-level encryption, encrypted filesystem, cryptographic filesystem, etc. All of them refer to an encryption layer in the storage stack. This article describes these techniques and explains their pros and cons. This article does not reference any software or hardware implementing these techniques (see disk encryption software and hardware), and it does not describe cryptographic theory behind it (see disk encryption theory).

Storage stack

To fully understand the techniques listed above, we first need to consider the stack of software and hardware in the computer storage subsystem. Let us give an example of such a stack in a PC: hard disk hardware provides an interface to read and write sectors using logical block addressing (LBA) or cylinder-head-sector (CHS) addressing; on top of it there is a software layer that interprets the partition table stored in the master boot record (MBR) and represents a single hard disk as a set of logical disks; on top of it is another software layer (filesystem) that represents a logical disk as a collection of files organized into directories; on top of it there may be software (a text editor) that interprets a file as a list of text lines. Each layer in this stack provides its own interface using the interface provided by the layer below it, for example, an LBA-accessible disk or a logical disk allow to read and write sectors of fixed size given the sector number (such layers are called sector-addressable); a filesystem allows to read and write data of arbitrary length given the name of a file and offset inside the file; and a text editor allows to delete and insert characters in a text file.

Similar to a communication protocol stack, this modularity provides great flexibility: each layer can be easily replaced with another as far as it provides the same interface. For example, a hard disk can be replaced with flash memory while all the rest of the stack stays unchanged. It is also possible to introduce an additional layer that provides the same interface as the layer below, but changes the data along the way, for example, to provide on-the-fly encryption and decryption. This encryption layer can be integrated with any layer in our example: encryption can be implemented by hardware of the hard disk; a single logical disk can be encrypted; a file can be encrypted by the filesystem; and even the text editor itself can transparently encrypt data before storing it into a file.

Terms

The terms listed at the beginning of the article refer to such an encryption layer in different positions. Unfortunately, naming conventions vary among different speakers. In general, any method where data is transparently encrypted on write and decrypted on read can be called on-the-fly encryption (OTFE), although some prefer to use this name only for encryption of a sector-addressable layer. Full Disk Encryption (FDE) or whole disk encryption is used by some to refer to encrypting a sector-addressable layer (a physical disk and not a logical disk), whereas others use it to denote only encryption of a physical disk, not a logical disk. Filesystem-level encryption or cryptographic filesystem is used to refer to a filesystem that can selectively encrypt files stored in it, while others distinguish these terms: they use the former to denote a general-purpose filesystem that supports encryption and the latter to denote a filesystem specifically designed to provide encryption and using another filesystem to store the files.

Since in many cases people (mistakenly) assume that their interlocutor assigns the same meaning to these terms, there are many arguments about whether a particular implementation provides a particular feature. For example, someone contrasting “full disk encryption” with “filesystem-level encryption” may say that a software package provides FDE, while their opponent, contrasting “FDE” with “logical disk encryption” (or “disk partition encryption”), may say the package does not provide FDE. This article explains that before engaging in such an argument, it is essential to understand the meaning each speaker assigns to the terms.

See also


This article "Encryption layer in storage stack" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Encryption layer in storage stack. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.


Retrieved from "https://en.everybodywiki.com/index.php?title=Encryption_layer_in_storage_stack&oldid=4986996"
License CC BY-SA 3.0
Powered by MediaWiki