Encryption layer in storage stack

Encryption layer in storage stack

There is a plurality of terms that are used to describe implementations of disk encryption: on-the-fly encryption (OTFE); full disk encryption (FDE), whole disk encryption; filesystem-level encryption, encrypted filesystem, cryptographic filesystem, etc. All of them refer to an encryption layer in the storage stack. This article describes these techniques and explains their pros and cons. This article does not reference any software or hardware implementing these techniques (see disk encryption software and hardware), and it does not describe cryptographic theory behind it (see disk encryption theory).

torage stack

To fully understand the techniques listed above we first need to consider the stack of software and hardware in the computer storage subsystem. Let us give an example of such a stack in a PC: hard disk hardware provides an interface to read and write sectors using logical block addressing (LBA) or cylinder-head-sector (CHS) address; on top of it there is a software layer that interprets the partition table stored in the master boot record (MBR) and represents a single hard disk as a set of logical disks; on top of it there is another software layer (filesystem) that represent a logical disk as a collection of files organized into directories; on top of it there may be software (a text editor) that interprets a file as a list of text lines. Each layer in this stack provides its own interface using the interface provided by the layer below it, for example, an LBA-accessible disk or a logical disk allow to read and write sectors of fixed size given the sector number (such layers are called sector-addressable); a filesystem allows to read and write data of arbitrary length given the name of a file and offset inside the file; and a text editor allows to delete and insert characters in a text file.

Similar to a communication protocol stack, this modularity provides great flexibility: each layer can be easily replaced with another as far as it provides the same interface. For example, a hard disk can be replaced with flash memory while all the rest of the stack stays unchanged. It is also possible to introduce an additional layer that provides the same interface as the layer below, but change the data along the way, for example, to provide on-the-fly encryption and decryption. This encryption layer can be integrated with any layer in our example: encryption can be implemented by hardware of the hard disk; a single logical disk can be encrypted; a file can be encrypted by the filesystem; and even the text editor itself can transparently encrypt data before storing it into a file.


The terms listed in the beginning of the article refer to such an encryption layer in different positions. Unfortunately, the naming conventions are different for different speakers. In general, every method in which data is transparently encrypted on write and decrypted on read can be called "on-the-fly encryption" (OTFE), although some prefer to use this name only to encryption of a sector-addressable layer. "Full Disk Encryption" (FDE) or "whole disk encryption" is used by some to refer to encryption a sector-addressable layer (a physical disk and not a logical disk), whereas others use it to denote only to encryption of physical disk and not a logical disk. "Filesystem-level encryption" or "cryptographic filesystem" is used to refer to a filesystem that can selectively encrypt files stored in it, whereas others distinguish these terms: they use the former to denote a general purpose filesystem that supports encryption while they use the latter to denote a filesystem that is specifically designed to provide encryption and uses some other filesystem to store the files.

Since in many cases people (mistakenly) assume that their collocutor assigns the same meaning to these terms, there are a lot of arguments whether some particular implementation provides some particular feature. For example, the one who contrasts “full disk encryption” with “filesystem-level encryption,” may say that some software package provides FDE, whereas his opponent who contrasts “FDE” with “logical disk encryption” (or “disk partition encryption”) will say that the package does not provide FDE. This example shows that that before getting into any such argument it is very important to understand what meaning each speaker assigns to the terms.

ee also

* Disk encryption theory
* Disk encryption software
* Disk encryption hardware

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Comparison of disk encryption software — This is a technical feature comparison of different disk encryption software. Contents 1 Background information 2 Operating systems 3 Features 4 Layering …   Wikipedia

  • USB mass storage device class — The USB mass storage device class or USB MSC or UMS is a set of computing communications protocols defined by the USB Implementers Forum that run on the Universal Serial Bus. The standard provides an interface to a variety of storage devices.Some …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • FreeBSD — welcome screen Company / developer The FreeBSD Project …   Wikipedia

  • Windows Vista networking technologies — This article is part of a series on Windows Vista New features Overview Technical and core system Security and safety Networking technologies I/O technologies Management and administration Removed features …   Wikipedia

  • OSI model — 7. Application layer NNTP  · SIP  · SSI  · DNS  · FTP  · Gopher  · …   Wikipedia

  • ZigBee — module. The €1 coin, shown for size reference, is about 23 mm (0.9 inch) in diameter. ZigBee is a specification for a suite of high level communication protocols using small, low power digital radios based on an IEEE 802 standard for personal… …   Wikipedia

  • File area network — File Area Networking refers to various methods of sharing files over a network such as storage devices connected to a file server or network attached storage (NAS). Background Data storage technology over the years has evolved from a direct… …   Wikipedia

  • Server Message Block — In computer networking, Server Message Block (SMB), also known as Common Internet File System (CIFS, /ˈsɪfs …   Wikipedia

  • ZigBee specification — ZigBee is the specification of a low cost, low power wireless communications solution, meant to be integrated as the main building block of ubiquitous networks. It is maintained by the ZigBee Alliance, which develops the specification and… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”