Encryption layer in storage stack
|This article does not cite any sources. (December 2006) (Learn how and when to remove this template message)|
There is a plurality of terms that are used to describe implementations of disk encryption: on-the-fly encryption (OTFE); full disk encryption (FDE), whole disk encryption; filesystem-level encryption, encrypted filesystem, cryptographic filesystem, etc. All of them refer to an encryption layer in the storage stack. This article describes these techniques and explains their pros and cons. This article does not reference any software or hardware implementing these techniques (see disk encryption software and hardware), and it does not describe cryptographic theory behind it (see disk encryption theory).
To fully understand the techniques listed above we first need to consider the stack of software and hardware in the computer storage subsystem. Let us give an example of such a stack in a PC: hard disk hardware provides an interface to read and write sectors using logical block addressing (LBA) or cylinder-head-sector (CHS) address; on top of it there is a software layer that interprets the partition table stored in the master boot record (MBR) and represents a single hard disk as a set of logical disks; on top of it there is another software layer (filesystem) that represent a logical disk as a collection of files organized into directories; on top of it there may be software (a text editor) that interprets a file as a list of text lines. Each layer in this stack provides its own interface using the interface provided by the layer below it, for example, an LBA-accessible disk or a logical disk allow to read and write sectors of fixed size given the sector number (such layers are called sector-addressable); a filesystem allows to read and write data of arbitrary length given the name of a file and offset inside the file; and a text editor allows to delete and insert characters in a text file.
Similar to a communication protocol stack, this modularity provides great flexibility: each layer can be easily replaced with another as far as it provides the same interface. For example, a hard disk can be replaced with flash memory while all the rest of the stack stays unchanged. It is also possible to introduce an additional layer that provides the same interface as the layer below, but change the data along the way, for example, to provide on-the-fly encryption and decryption. This encryption layer can be integrated with any layer in our example: encryption can be implemented by hardware of the hard disk; a single logical disk can be encrypted; a file can be encrypted by the filesystem; and even the text editor itself can transparently encrypt data before storing it into a file.
The terms listed in the beginning of the article refer to such an encryption layer in different positions. Unfortunately, the naming conventions are different for different speakers. In general, every method in which data is transparently encrypted on write and decrypted on read can be called on-the-fly encryption (OTFE), although some prefer to use this name only to encryption of a sector-addressable layer. Full Disk Encryption (FDE) or whole disk encryption is used by some to refer to encryption a sector-addressable layer (a physical disk and not a logical disk), whereas others use it to denote only to encryption of physical disk and not a logical disk. Filesystem-level encryption or cryptographic filesystem is used to refer to a filesystem that can selectively encrypt files stored in it, whereas others distinguish these terms: they use the former to denote a general purpose filesystem that supports encryption while they use the latter to denote a filesystem that is specifically designed to provide encryption and uses some other filesystem to store the files.
Since in many cases people (mistakenly) assume that their collocutor assigns the same meaning to these terms, there are a lot of arguments whether some particular implementation provides some particular feature. For example, the one who contrasts “full disk encryption” with “filesystem-level encryption,” may say that some software package provides FDE, whereas his opponent who contrasts “FDE” with “logical disk encryption” (or “disk partition encryption”) will say that the package does not provide FDE. This article explains that before getting into any such argument it is very important to understand what meaning each speaker assigns to the terms.