[OpenAFS-devel] [GSoC 2010] Encrypted storage

Russ Allbery rra@stanford.edu
Wed, 24 Mar 2010 13:32:36 -0700 

Derek Atkins <warlord@MIT.EDU> writes:

> About four-five years ago I designed a complete encryption system for
> AFS.  The design also depends on your requirements.  For example, do you
> want to:

>  * Encrypt the directory contents as well as the file contents?
>    (I.e. hide the filenames)
>  * Have centralized group management for encryption contexts? (i.e. be
>    able to centrally add or remove people from having access to the
>    encryption keys)
>  * have other hidden/implicit requirements that haven't been stated yet?

> Note that directory encryption is more complicated than file encryption.
> File encryption can be implemented completely on the client.  Indeed, I
> implemented that four+ years ago.  However if you want to encrypt the
> directory contents then you also need the fileserver to help you
> (because the directory contents are maintained by the fileserver).

> I'll step back and ask:  what's your threat model?  What are you trying
> to protect against?

We have a few threat models at Stanford in this area:

* The threat of an audit requiring compliance with some arbitrary
  guideline about how data must be stored encrypted.  This is probably the
  highest and most visible risk, and unfortunately also the least clear
  since no one can agree on what the relevant laws require.

* Protection against a storage system compromise.  Compromising the system
  that manipulates the data already compromises the data.  It would be
  nice if a compromise of the AFS file server or underlying storage didn't
  compromise the data.  I don't think this requires directory encryption
  unless people store sensitive things in the file names, which here at
  least is a problem we can address with education and policy.

* Protection against a backup system compromise.  This can be addressed by
  encrypting at the backup level, but it's easier if the data is already
  always encrypted at rest.  This protects against interception of backup
  tapes during off-site rotation and similar security threats.

* Backstop protection against improper handling of server retirement.  If
  the data is stored encrypted, we're at less risk if someone recycles a
  hard drive without properly wiping it.  Obviously, this isn't the
  primary protection against that, just a backstop if other provisions
  fail, so it's not as exciting of a use case.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>