Auditable and Transparent Fully Authenticated Disk Encryption via USB Storage Interposition

Abstract

Full Disk Encryption (FDE) has become increasingly important in the last decades due to the evident confidentiality concerns. In most systems, encryption is provided by an operating system driver, through which the user can transparently access the encrypted disk after supplying the required keys (or the credentials from which those keys are derived). In this work, we explore an alternative approach: the use of an intermediate USB device placed between the host system and the external hard disk, where the encrypted data are stored. Although there are existing devices that follow this inline approach (such as RAID controllers and USB enclosures with built-in encryption), we explore the use of a general-purpose single-board computer running Linux with USB On-The-Go support (e.g. a Raspberry Pi), to provide FADE (Fully Authenticated Disk Encryption). Our system, named CC (Cryptographic Companion), performs the cryptographic operations (encryption/decryption and authentication), providing a standard USB mass-storage interface to the host (which is entirely unaware of the presence of encryption) while relying on the external USB hard disk to store the corresponding encrypted blocks. Our design provides several key advantages: flexibility, low cost, transparency, the use of generic hardware and free and open-source software, adaptability to emerging cryptographic schemes, and mitigations against malicious disk firmware. This paper presents the design and implementation of the CC and an experimental evaluation of our current research prototype, which indicates that it is sufficiently efficient for most common use cases.

0

Turn this paper into a full lesson

ArcXiv compiles a staged curriculum from this paper: 8-12 lessons across beginner → advanced, synthesised section guides, visuals, flashcards, a quiz, exercises, and on-demand deep dives per section. Grounded in the abstract, never invented.

Discussion (0)

Sign in to join the discussion.

Loading comments…