On Mon, Dec 13, 2010 at 10:01, Chris Palmer <[email protected]> wrote: > On Fri, Dec 10, 2010 at 12:24 PM, Kipling Inscore <[email protected]> wrote: > >> For strength of security, it's probably best to put this in the >> kernel, making it more difficult to circumvent by malicious users or >> malicious applications and unsuspecting users. > > Please explain.
If it is in the kernel, it is easier to make it the only available path to disk. Since one of the goals here is to have all applications writing encrypted, having an alternate path is bad If it is outside the kernel as a library, a native program can simply include the unmodified library or use the kernel interface directly to write to disk unless additional precautions are taken. In the kernel, it is also easier to keep the keys away from the applications. Giving applications read permission to the keys should probably be avoided since otherwise with internet permission they could possibly give away files and keys. You could put the encryption mechanism in a suid program, with the whole disk owned by that program, but then I think you would have to reimplement file permissions and have that program manage them. > Also, none of this matters until you have key management in place. How > is the original poster planning to store and retrieve encryption keys? I wouldn't say it simply doesn't matter. Encryption isn't trivial once key management is in place. While it's not a great idea to simply write keys to disk once and leave it at that, it's an option for some situations (perhaps for short fixed term security or combined with manual updates, though that's a hassle and potentionally less secure than alternatives) and besides, key management can be implimented partly in parallel with encryption rather than as a prerequisite (though hopefully both will be finished and installed before the system is deployed). > Once you have decent key management, the quickest and easiest thing to > do is just encrypt the file with a GPG-like mechanism (or just pull in > GPG). If only it were so simple as installing GPG. It seems that specific algorithms (even, perhaps, specific code) are required. FIPS 140-2 compliance is a requirement and it seems GPG has not been certified, though certain versions/modules of OpenSSL have been. Additionally, you should probably only use the information you get here as a starting point. The real decisions should be made by fully informed experts. Security can be difficult to get right. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
