[FDE] full disk encryption for NAS

Mike Markowitz markowitz at infoseccorp.com
Thu Jan 4 10:38:10 MST 2007 

Naveen wrote on Tue Dec 5 22:55:44 MST 2006:

 >I have a confusion whether to use
 >file encryption (or) disk encryption incase of NAS box
 >because the data over network is in clear-text when
 >the clients are accessing the NAS box.So in that case
 >file encryption will be useful.But incase of physical
 >security like theft it is better to use disk
 >encryption.
 >
 >I have googled about this and no where I found the
 >correct answer.Is it better to use both types of
 >encryption at a time. Then the burden will be more in
 >encrypting & decrypting twice the data file level & at
 >disk level.
 >
 >Is there any alternate technique to protect the NAS
 >box form both physical & network attacks.

Naveen:

You might want to consider ISC's SpyProof! product.
It allows you to create encrypted virtual partitions
-- locally on a Windows system, on a remote NAS box,
or even on removable media. When "mounted," these
partitions appear as normal (networked) drives on
client Windows systems.

A device driver on each client locally encrypts all
data written to a mounted drive on-the-fly, and
decrypts all data locally after reads, so both
processes are transparent to all Windows
applications, all network traffic is encrypted, and
you always end up with ciphertext on the NAS device
(or wherever the encrypted partition resides).

Mounting/unmounting an encrypted partition can be
performed manually or tied to the Windows
login/logout processes. The mounting process
requires strong authentication based on X.509
certificates, with or without a hardware token --
PKCS#11 and CAPI-based tokens are supported. Users
can install an existing key pair, create a
self-signed certificate, or request a free 1-year
certificate from us. All data is encrypted with AES
(your choice of key size) in CBC mode. Encrypted
disks can be expanded (but not contracted) after
creation, re-keyed upon demand, and users added/deleted
from the "access control lists" on a drive-by-drive
basis. (The free space on a disk can be encrypted or
not, a decision to be made by an administrator based
on its potential impact on incremental backup
processes.)

One caveat: simultaneous read/write access by
multiple users to a given encrypted drive is not
supported at this time; first user to mount a drive
gets read/write access, subsequent users get readonly
access. In some applications this is not a significant
limitation, for others it is, so you need to take
it into consideration.

More info is available here:
    http://www.infoseccorp.com/products/spyproof/contents.htm

-mjm

More information about the FDE mailing list