How Disk-Encryption Software Works

Rahul Pitre presents a simple overview of how disk encryption works and why you may want to use it.

How Disk-Encryption Software Works

People use computers for an ever-increasing number of tasks. Just a few years ago, a PC was scarcely more than a fancy word processor. Over the years, we have started using it for filing taxes, online shopping, e-mail, listening to music, on-line banking, bill payment, and stock trading; the list keeps growing. As the list grows, so does the amount of private information we store in on our PCs. If you want your private information to remain private, you must take steps to keep it so. If you don't, it is potentially available to anyone who can access your computer - children, friends, houseguests, neighbors freeloading on your insecure wireless network, and even hackers.

One solution to the problem is to restrict access to your computer - you can lock your computer in a room and wear the key around your neck. Anyone who wants to access information on your computer without your approval will have to wring your neck first, an act you will most likely resist. The problem, however, is that this solution not only restricts access to the information on the computer, it restricts access to the computer itself. No one but you can use it. Besides, it does not protect your information from folks who may be able to access it without unlocking the room, such as hackers.

A better solution would be to "lock" just the sensitive information. This would allow others to use the computer, but they won't be able to access the locked information. There are various ways you can go about "locking" information. You could protect files containing sensitive information using Windows account level security, for example, but almost all account level security has a backdoor - anyone with an administrator's rights to the computer has unrestricted access to the information on it. Or you could use the password feature provided by applications such as Microsoft Word and Microsoft Excel. But this scheme, too, has drawbacks. To begin with, every application you use must support password protection, which certainly is not the case. (Did you ever try protecting a notepad document?) Secondly, to avoid confusion, you will probably want to use the same password for all documents. This, as you may very well know, is wishful thinking because each application has different rules for how long the password can be and what characters it can contain. Lastly, if you ever want to change the password, you will have to open every protected document and change its password.

A more viable alternative would be to scramble the information in such a way that only you and people you authorize can unscramble it. Scrambling of information is called "encryption" and unscrambling of information is called "decryption". If you encrypt information, you don't have to worry about restricting access to it. You can leave it in plain sight for everyone to see or even copy. It will make sense only to those who can decrypt it; to others, it will look like a collection of meaningless letters and digits. The science of encryption and decryption is called "cryptography", which literally means "hidden writing". Cryptography is useful in protecting everything from military messages to the contents of your disk.

In daily life, people encrypt and decrypt information without a thought. Take me, for example. I am an immigrant; my children are American. When I want to say something to my wife that I don't want my children to understand, I speak to her in my native tongue. In a sense, I encrypt the information. My wife can decrypt it but my children can't, because my wife has the "key" to decrypt what I say - the language. (Incidentally, I also know of another family like mine, where the children get back at their parents by speaking among themselves in Spanish!)

Or take little children playing Spy Vs. Spy. They talk to each other in a code such as Pig Latin. They are encrypting information too. They know that to encrypt, they must remove the first letter of every word and place it at the end of the word. To decrypt, they must remove the last letter and place it at the beginning of the word. The key is to know this little secret.

Real-life cryptography is a bit more involved than these simple schemes. Here is a more realistic example. Say you want to encrypt the phrase "It is raining in Budapest". You could decide to replace each letter by the next letter of the alphabet. The original and the scrambled message will look like this:

Message in plain text: It is raining in Budapest
Scrambled message: Ju jt sbjojoh jo Cvebqftu

In effect, you have shifted the entire alphabet by one letter while scrambling the message.

Let us analyze this example. The process of encryption and decryption has four components:

1. A message in plain text.
2. A procedure or an algorithm to scramble this message, namely, shifting the alphabet
3. The number of positions you shifted the alphabet by - 1, in our example.
4. A scrambled version of the message produced by using the algorithm and a secret value that both parties know - in this example, the number 1 (the number of positions to shift the alphabet by)

In cryptographic terminology, the original message is called "plaintext". The algorithm is called the "cipher". The secret value that must be used for shifting is called the "key" and the scrambled message is called "ciphertext". The same key is used both to encrypt and to decrypt the message and hence such encryption is called "symmetric key encryption".

To summarize, plaintext is encrypted to ciphertext (and decrypted from ciphertext) by applying a cipher that uses a symmetric key shared by the two parties. (Phew!)

You should note two things here:

1. A different ciphertext can be generated using the same cipher simply by changing key. If we change the key from 1 to 2, our example will look like this:

Plaintext: It is raining in Budapest

Ciphertext (Key =1): Ju jt sbjojoh jo Cvebqftu

Ciphertext (Key=2): Kv ku tckpkpi ko Dwfcrguv

2. The cipher can be public knowledge; the important piece of information is the key.

The cipher in this example is rather simplistic. It would probably suffice to keep a secret from your little sister, but it would not cut mustard with the KGB. The KGB has people called "cryptanalysts" on their payroll. Their job is to break codes. By analyzing the frequency of letters and their occurrence in two and three letter words, it is fairly easy for them to crack your cipher. Any self-respecting cryptanalyst will do it in minutes.

You can make life more difficult for cryptanalysts by coming up with a key that will make it difficult to analyze letter frequencies. Replace the first letter in the message with the next letter in alphabet and the second letter in message with the next but one letter. Repeat this process for the next two letters, and so on. In other words, shift the alphabet by one for an odd numbered letter and shift the alphabet by two for every even numbered letter. So our cipher remains more or less the same but the key now becomes 12. By increasing the length of the key, you have made your encryption "stronger"-- or more difficult to crack.

There are several publicly available ciphers that are known by military-sounding acronyms such as RSA, DES and AES. (This is fitting, given the military origins of cryptography!) Each cipher supports a given "key strength". The best ciphers are designed to last past doomsday, so long as a strong enough key is used.

Now that you understand how cryptography works, we can get back to protecting sensitive information on your PC. To get started, you must procure disk-encryption software such as TrueCrypt ( Disk-encryption software runs on your computer in the background, much like antivirus software. It stores your data in regular files on your disk just as Microsoft Word stores its information in .doc files and Microsoft Excel in .xls files. The file is then "mounted" as a virtual disk volume and gets a drive letter of its own. Whenever you save information to this "disk", it is automatically encrypted. Conversely, wherever you read information from this disk, it is automatically decrypted. The entire process is transparent to you.

You can create several virtual disks using the software, each of which will get its own drive letter. While creating the file, the software asks you to choose from a variety of ciphers to apply to your information. Based on your choice, it then asks you to select key strength. Typically you will get to choose from 40, 56, 128, 256, 384 and 512 bit keys. Don't worry, you won't have to come up with a 512-bit key; the software does it for you. It asks you to perform a random operation on your PC, such as vigorously moving your mouse around. Then it generates a random key of the desired length by applying some complex mathematical function to your mouse movements. It appends the key to the file and uses it to encrypt and decrypt your information while reading from and writing to the file.

Since the key is stored with the file itself, there must be some way to prevent it from falling into the hands of unauthorized users. The software accomplishes this by asking you for a password when you create the file. It DOES NOT store the password in plaintext. Rather, it performs a mathematical operation on the password that generates a scrambled version of the password called "password hash". It stores the password hash with the file and the key.

Whenever you mount the virtual disk, the encryption software asks you for your password. Once you enter the password, the software performs the same mathematical operation on it that it performed the very first time and produces the password hash. If the generated password hash matches with the stored password hash, it assumes that you have access to the data and lets you mount the drive. Once the drive is mounted, it uses the key to encrypt and decrypt information seamlessly while you access it. You can then save any file to the encrypted drive as you would to a regular drive.

If a malicious person gains access to your computer, he can access the encrypted file on the disk like any other file. But all he will see is a jumble of meaningless characters. And this is how disk encryption works.