ppdd

Section: User Commands (1)
Updated:
Index Return to Main Contents

NAME

ppdd - encrypted disc device driver and utilities

SYNOPSIS

The ppdd system provides high quality encryption to protect the privacy of data held on disc drives. The driver is integrated into the Linux kernel and the utilities provide all the management functions required.

DESCRIPTION

It is important to understand the threat against which ppdd provides protection. No single system can provide full security in all circumstances and a clear understanding of what ppdd does and does not do is critical to the construction of a security regime which meets the users needs.

Threat Model

The ppdd system protects the privacy of the data in the following circumstances.

The theft of the computer while it is powered off or if the thief has to power it off to remove it.

The theft or copying of the discs from the computer.

The theft or copying of backups.

Copying of discs after booting the computer from a boot floppy.

While these may seem a limited set of threats, they are in fact the basis of all security. If the system as a whole cannot provide a defense against these threats then more sophisticated higher level defenses are useless.

Program/System overview

The ppdd system consists of a device driver which is part of the kernel and a set of user utilities to manage ppdd devices and/or the encrypted data. To the applications side the ppdd device behaves like a hard drive partition. The driver in the kernel encrypts data sent to this device and stores it on a real disc partition or on a normal file. Similarly it responds to read requests by reading the appropriate block (or blocks) from a real disc partition or a file and decrypting them.

Cryptography overview

The encryption algorithm used is blowfish. There is no provision for any other algorithm. If the integrity of this algorithm is ever called into question then a modified product will be released with a changed name. This way there is no doubt about what is being used. The implementation is in assembler for the i86 range of processors in order to achieve the necessary performance.

The basic principle is that a disc block (512 bytes) is encrytpted with one of 17 keys each of 256 bits length. Before encryption the data in the block is distributed evenly throughout the block based on three 32 bit keys, one is the block number itself, one is reused every 59 blocks, the other every 61 blocks. These "whitenning keys" and the blowfish keys are generated in the initialisation step and are stored with other control information in the first 1024 bytes of the host file or disc partition. The data blocks are encrypted in cbc mode using an IV derived from the data itself during the whitenning process.

The control block is itself encrypted in ecb mode using a key derived from a pass phrase entered by the user. The pass phrase consists of 2 lines of up to 104 characters each. The process of turning this into a blowfish key is described in the documentation. Two lines of user input are used in the belief that it easier for mortal human beings to remember two phrases of reasonable length rather than one very long one. If this is not true for memory it is certainly true for typing blind.

Not to be confused with the two lines of pass phrase is the ability to have a master and a working pass phrase associated with a host file or disc partition. The master pass phrase is that used during initialisation. A working pass phrase can be assigned at any time later. Both the master and working pass phrases can be changed at will. The concept was introduced so that use of the master pass phrase can be minimised. Before taking a backup the working pass phrase can be erased. After the backup it can be reset or a new one created. This way the only pass phrase which can open a backup is the master. For a full explanation why backups should only ever be encrytpted with one pass phrase - or better stiil why the backup should exclude the control information in the first 1024 bytes please see the documenation.

UTILITIES

ppddinit - creates the control block on the host file or device. Optionally it can fill the rest of the space with random data. It can also perform an "encrypt in place" which allow a normal disc partition containing an ext2 filesystem to be encrypted within the same partition.

ppddsetup - is used to connect the device driver with the real disc data. It can also be used to display details of the connection. It also allows the user to disconnect the device driver from the real disc data. Normally it will demand the pass phrase (master and working pass phrases are equally valid). It is also possible to read the pass phrase from disc but from a security point of view this only makes sense if the file containing this sensitive data is itself on a ppdd device. It comes into play when the root filesytem itself is encrypted with ppdd.

ppddpassw - carries out various pass phrase related functions. The user can create or change a working pass phrase. He can change the master pass phrase. He can erase the working pass phrase or both pass phrases. An additional feature is "decrypt in place" which allow the user to revert an encrytpted disc partion to its decrypted form in the same place on disc.

ppdncrypt - is used for encryption functions but without kernel support. It can be used for making backups (with or without the 1024 byte control block). It can encrypt an existing filesystem either in place or by copying it. If pgp has been installed on the system it can interface to this product so that a backup can be made without having to enter a pass phrase - it uses the public key of user "backup". Again the user can choose to exclude the 1024 byte from the backup if he wishes.

ppdecrypt - is used for decryption type functions but without kernel support. It can be used to restore backups made with ppdncrypt. It can decrytpt an existing host file or partition either in place or by making a copy. It provides an interface to pgp - if the input was encrypted using pgp in combination with ppdncrypt.

Two additional utilities are available which are only of interest if the root filesystem is encrypted. These are "linuxrc" which is a program which runs before the root filesystem is available - mainly to ask the user for the pass phrase, and "ppddreopen" which performs the rather obscure function of enabling the root file system to use a device which exists on the root filesystem itself - this then frees up the temporary resources which were need to get this far in the boot process. If you are going to use root filesystem encryption please read the documentation.

FILES


/initrd used during boot for root ppdd filesystem
/etc/ppddtab for auto-setup - useful for root ppdd filesystem

WARNINGS

Use at your own risk.
Available only for i86 architecture.
Demands a lot of CPU - a 100MHz processor minimum.
Available only for Linux 2.0.36 and 2.2.x series.
The underlying (host) file can be on any file system supported by Linux and this filesystem can have any block size. However the file system created on the ppdd device MUST NOT use the first 1024 bytes of the (host) file or partition. Note that ext2 with a block size of 1024 complies but DOS and its derivatives and also ext2 with larger block sizes do not. In addition larger block sizes are very inefficient from a performance point of view.
The same applies if a device (e.g. /dev/hda3) is used to host the ppdd device. To be safe it is strongly advised to use ext2 with a block size of 1024.
e.g. mke2fs -b1024 /dev/ppdd0

BUGS

No bugs in the core functions are known. Likely areas where minor bugs may show up is in error trapping and parameter and file validation.
Please report all bugs to the author, with some indication of their severity.

SOURCE

Available from:

http://linux01.gwdg.de/~alatham ftp://ftp.gwdg.de/pub/linux/misc/ppdd

A pgp signature file is available for all releases and my public key is also available from the above urls and from the usual key servers. Please check what you download.

LICENCE

GPL

AUTHOR

Allan Latham <alatham@flexsys-group.com>
plus contributions from many sources.

HISTORY

The first version shared with others was 0.3 which was early in 1998. We are currently at 0.9 in June 1999. The target is a fully trustworthy, well documented and easy to install and use version 1.0 by the start of the next millenium.