|
Disk encryption software is computer security software that protects the confidentiality of data stored on computer media (e.g., a hard disk, floppy disk, or USB device) by using disk encryption. Compared to access controls commonly enforced by an operating system (OS), encryption passively protects data confidentiality even when the OS is not active, for example, if data is read directly from the hardware or by a different OS. Disk encryption generally refers to wholesale encryption that operates on an entire volume mostly transparently to the user, the system, and applications. This is generally distinguished from file-level encryption that operates by user invocation on a single file or group of files, and which requires the user to decide which specific files should be encrypted. Disk encryption usually includes all aspects of the disk, including directories, so that an adversary cannot determine content, name or size of any file. It is well suited to portable devices such as laptop computers and thumb drives which are particularly susceptible to being lost or stolen. If used properly, someone finding a lost device cannot penetrate actual data, or even know what files might be present. ==Methods== The disk's data is protected using symmetric cryptography with the key randomly generated when a disk's encryption is first established. This key is itself encrypted in some way using a password or pass-phrase known (ideally) only to the user. Thereafter, in order to access the disk's data, the user must supply the password to make the key available to the software. This must be done sometime after each operating system start-up before the encrypted data can be used. Done in software, disk encryption typically operates at a level between all applications and most system programs and the low-level device drivers by "transparently" (from a user's point of view) encrypting data after it is produced by a program but before it is physically written to the disk. Conversely it decrypts data immediately after being read but before it is presented to a program. Properly done, programs are unaware of these cryptographic operations. Some disk encryption software (e.g., TrueCrypt or BestCrypt) provide features that generally cannot be accomplished with disk hardware encryption: the ability to mount "container" files as encrypted logical disks with their own file system; and encrypted logical "inner" volumes which are secretly hidden within the free space of the more obvious "outer" volumes. Such strategies provide plausible deniability. Well-known examples of disk encryption software include: BitLocker for Windows; FileVault for Apple OS/X; and TrueCrypt, a non-commercial freeware application, for Windows, OS/X and Linux. * A 2008 study found data remanence in dynamic random access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to demonstrate a cold boot attack to recover cryptographic keys for several popular disk encryption systems despite some memory degradation, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use. The authors recommend that computers be powered down, rather than be left in a "sleep" state, when not under physical control by the computer's legitimate owner. This method of key recovery however, is suited for controlled laboratory settings and is extremely impractical for "field" use due to the equipment and cooling systems required. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Disk encryption software」の詳細全文を読む スポンサード リンク
|