Section: User Commands (1)
Return to Main Contents
ppdd - encrypted disc device driver and utilities
The ppdd system provides high quality encryption to protect the privacy
of data held on disc drives. The driver is integrated into the Linux kernel
and the utilities provide all the management functions required.
It is important to understand the threat against which ppdd provides
protection. No single system can provide full security in all circumstances
and a clear understanding of what ppdd does and does not do is critical to
the construction of a security regime which meets the users needs.
The ppdd system protects the privacy of the data in the following circumstances.
The theft of the computer while it is powered off or if the thief has to
power it off to remove it.
The theft or copying of the discs from the computer.
The theft or copying of backups.
Copying of discs after booting the computer from a boot floppy.
While these may seem a limited set of threats, they are in fact the basis of
all security. If the system as a whole cannot provide a defense against these
threats then more sophisticated higher level defenses are useless.
The ppdd system consists of a device driver which is part of the kernel and
a set of user utilities to manage ppdd devices and/or the encrypted data.
To the applications side the ppdd device behaves like a hard drive partition.
The driver in the kernel encrypts data sent to this device and stores it on a
real disc partition or on a normal file. Similarly it responds to read
requests by reading the appropriate block (or blocks) from a real disc
partition or a file and decrypting them.
The encryption algorithm used is blowfish. There is no provision for any other
algorithm. If the integrity of this algorithm is ever called into question
then a modified product will be released with a changed name. This way there
is no doubt about what is being used. The implementation is in assembler for
the i86 range of processors in order to achieve the necessary performance.
The basic principle is that a disc block (512 bytes) is encrytpted with one
of 17 keys each of 256 bits length. Before encryption the data in the block
is distributed evenly throughout the block based on three 32 bit keys, one
is the block number itself, one is reused every 59 blocks, the other every
61 blocks. These "whitenning keys" and the blowfish keys are generated
in the initialisation step and are stored with other control information in
the first 1024 bytes of the host file or disc partition. The data blocks are
encrypted in cbc mode using an IV derived from the data itself during the
The control block is itself encrypted in ecb mode using a key derived from
a pass phrase entered by the user. The pass phrase consists of 2 lines of
up to 104 characters each. The process of turning this into a blowfish key
is described in the documentation. Two lines of user input are used in the
belief that it easier for mortal human beings to remember two phrases of
reasonable length rather than one very long one. If this is not true for
memory it is certainly true for typing blind.
Not to be confused with the two lines of pass phrase is the ability to have
a master and a working pass phrase associated with a host file or disc
partition. The master pass phrase is that used during initialisation. A
working pass phrase can be assigned at any time later. Both the master and
working pass phrases can be changed at will. The concept was introduced so
that use of the master pass phrase can be minimised. Before taking a backup
the working pass phrase can be erased. After the backup it
can be reset or a new one created. This way the only pass phrase which can
open a backup is the master. For a full explanation why backups should only
ever be encrytpted with one pass phrase - or better stiil why the backup
should exclude the control information in the first 1024 bytes please see
ppddinit - creates the control block on the host file or device. Optionally
it can fill the rest of the space with random data. It can also perform an
"encrypt in place" which allow a normal disc partition containing an ext2
filesystem to be encrypted within the same partition.
ppddsetup - is used to connect the device driver with the real disc data. It
can also be used to display details of the connection. It also allows the user
to disconnect the device driver from the real disc data. Normally it will
demand the pass phrase (master and working pass phrases are equally valid).
It is also possible to read the pass phrase from disc but from a security
point of view this only makes sense if the file containing this sensitive
data is itself on a ppdd device. It comes into play when the root filesytem
itself is encrypted with ppdd.
ppddpassw - carries out various pass phrase related functions.
The user can create or change a working pass phrase.
He can change the master pass phrase.
He can erase the working pass phrase or both pass phrases.
An additional feature is "decrypt in place" which allow the user to revert an
encrytpted disc partion to its decrypted form in the same place on disc.
ppdncrypt - is used for encryption functions but without kernel support. It
can be used for making backups (with or without the 1024 byte control block).
It can encrypt an existing filesystem either in place or by copying it.
If pgp has been installed on the system it can interface to this product
so that a backup can be made without having to enter a pass phrase - it uses
the public key of user "backup". Again the user can choose to exclude the
1024 byte from the backup if he wishes.
ppdecrypt - is used for decryption type functions but without kernel support.
It can be used to restore backups
made with ppdncrypt.
It can decrytpt an existing host file or partition either in place or by
making a copy.
It provides an interface to pgp - if the input was encrypted using pgp in
combination with ppdncrypt.
Two additional utilities are available which are only of interest if the
root filesystem is encrypted. These are "linuxrc" which is a program which
runs before the root filesystem is available - mainly to ask the user for the
pass phrase, and "ppddreopen" which performs the rather obscure function of
enabling the root file system to use a device which exists on the root
filesystem itself - this then frees up the temporary resources which were
need to get this far in the boot process. If you are going to use root
filesystem encryption please read the documentation.
/initrd used during boot for root ppdd filesystem
/etc/ppddtab for auto-setup - useful for root ppdd filesystem
ppddinit(1), ppddsetup(1), ppddpassw(1), ppdecrypt(1), ppdncrypt(1) and ppddtab(5).
Use at your own risk.
Available only for i86 architecture.
Demands a lot of CPU - a 100MHz processor minimum.
Available only for Linux 2.0.36 and 2.2.x series.
The underlying (host) file can be on any file system supported by Linux and
this filesystem can have any block size. However the file system created on
the ppdd device MUST NOT use the first 1024 bytes of the (host) file or
partition. Note that ext2 with a block size of 1024 complies but DOS and
its derivatives and also ext2 with larger block sizes do not. In addition
larger block sizes are very inefficient from a performance point of view.
The same applies if a device (e.g. /dev/hda3) is used to host the ppdd
device. To be safe it is strongly advised to use ext2 with a block size of 1024.
e.g. mke2fs -b1024 /dev/ppdd0
No bugs in the core functions are known. Likely areas where minor bugs may
show up is in error trapping and parameter and file validation.
Please report all bugs to the author, with some indication of their severity.
A pgp signature file is available for all releases and my public key is
also available from the above urls and from the usual key servers. Please
check what you download.
Allan Latham <firstname.lastname@example.org>
plus contributions from many sources.
The first version shared with others was 0.3 which was early in 1998.
We are currently at 0.9 in June 1999. The target is a fully trustworthy,
well documented and easy to install and use version 1.0 by the start of the
(c) 1999 Allan Latham - version 0.9
- Threat Model
- Program/System overview
- Cryptography overview
- SEE ALSO
- SEE ALSO
This document was created by
using the manual pages.
Time: 16:33:58 GMT, September 14, 1999