Encryptors

Just how do you intend to boot that disk with an encrypted MBR? Expecting a driver in the storage stack to encrypt and decrypt the entire disc, is inherently fraught with peril. Any driver for Windows that you write will always be loaded to late since first the MBR has to be read by the BIOS which then jumps to a location in the MBR which then loads the OS loader or NtLoader. But … you encrypted the MBR, so unless the BIOS can decrypt it, it can’t execute the MBR loader to load the OS.

That’s a classic Catch-22.


The personal opinion of
Gary G. Little
“Amitrajit Banerjee.” wrote in message news:xxxxx@ntfsd…

Hello ppl,

We are trying to design and develop a full fledged security suite for computers (x86). Well, one of the modules of this suite would be a set of tools that will encrypt the entire storage media (HDD in the begining, opthers later), on a sector by sector basis starting right from the MBR to the last sector. OFcourse we need to write some drivers for the same. My query is where exactly in the disk driver stack should we place our driver to get teh best benifit. Should it reside right above Disk.sys? A lower filter driver or what?

Please support your answers with a bare minimum of “this is why it should be done this way…”.

Thanks,

amitr0

Note:-
1) Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
2) Kindly Acknowledge This Mail At The Earliest.
3) This E-Mail Might contain Confidential information. If You Are Not Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.

Gary,

Actually it is possible, though with lots of work. Writing your own MBR,
having a custom 16 bit ‘app’ which runs from there and decrypts the data,
lots of fun!

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, June 08, 2005 7:47 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Encryptors

Just how do you intend to boot that disk with an encrypted MBR? Expecting a
driver in the storage stack to encrypt and decrypt the entire disc, is
inherently fraught with peril. Any driver for Windows that you write will
always be loaded to late since first the MBR has to be read by the BIOS
which then jumps to a location in the MBR which then loads the OS loader or
NtLoader. But … you encrypted the MBR, so unless the BIOS can decrypt it,
it can’t execute the MBR loader to load the OS.

That’s a classic Catch-22.


The personal opinion of
Gary G. Little

“Amitrajit Banerjee.” wrote in message
news:xxxxx@ntfsd…

Hello ppl,

We are trying to design and develop a full fledged security suite for
computers (x86). Well, one of the modules of this suite would be a set of
tools that will encrypt the entire storage media (HDD in the begining,
opthers later), on a sector by sector basis starting right from the MBR to
the last sector. OFcourse we need to write some drivers for the same. My
query is where exactly in the disk driver stack should we place our driver
to get teh best benifit. Should it reside right above Disk.sys? A lower
filter driver or what?

Please support your answers with a bare minimum of “this is why it should be
done this way…”.

Thanks,

amitr0

Note:-
1) Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
2) Kindly Acknowledge This Mail At The Earliest.
3) This E-Mail Might contain Confidential information. If You Are Not
Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.

http:


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:>

Pete,

Goo’ness … I dinna say it couldn’t be done, just that it is a major task the has ramifications for EVERY disc access. I know of companies that are doing it. It is more effort than simply inserting a filter or intermediate drive “somewhere” in the storage stack since you must handle boot time BEFORE the OS, and your driver, is loaded, as well as panic and crash time. There is LOTS of other things as well.

It is a task not for the feint of heart, and oh so much more easily done by the hard disc itself. :slight_smile:


The personal opinion of
Gary G. Little
“Peter Scott” wrote in message news:xxxxx@ntfsd…

Gary,

Actually it is possible, though with lots of work. Writing your own MBR, having a custom 16 bit ‘app’ which runs from there and decrypts the data, lots of fun!

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

------------------------------------------------------------------------------

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, June 08, 2005 7:47 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Encryptors

Just how do you intend to boot that disk with an encrypted MBR? Expecting a driver in the storage stack to encrypt and decrypt the entire disc, is inherently fraught with peril. Any driver for Windows that you write will always be loaded to late since first the MBR has to be read by the BIOS which then jumps to a location in the MBR which then loads the OS loader or NtLoader. But … you encrypted the MBR, so unless the BIOS can decrypt it, it can’t execute the MBR loader to load the OS.

That’s a classic Catch-22.


The personal opinion of
Gary G. Little

“Amitrajit Banerjee.” wrote in message news:xxxxx@ntfsd…

Hello ppl,

We are trying to design and develop a full fledged security suite for computers (x86). Well, one of the modules of this suite would be a set of tools that will encrypt the entire storage media (HDD in the begining, opthers later), on a sector by sector basis starting right from the MBR to the last sector. OFcourse we need to write some drivers for the same. My query is where exactly in the disk driver stack should we place our driver to get teh best benifit. Should it reside right above Disk.sys? A lower filter driver or what?

Please support your answers with a bare minimum of “this is why it should be done this way…”.

Thanks,

amitr0

Note:-
1) Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
2) Kindly Acknowledge This Mail At The Earliest.
3) This E-Mail Might contain Confidential information. If You Are Not Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

I concur with your evaluation of the task.

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Thursday, June 09, 2005 8:02 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Encryptors

Pete,

Goo’ness … I dinna say it couldn’t be done, just that it is a major task
the has ramifications for EVERY disc access. I know of companies that are
doing it. It is more effort than simply inserting a filter or intermediate
drive “somewhere” in the storage stack since you must handle boot time
BEFORE the OS, and your driver, is loaded, as well as panic and crash time.
There is LOTS of other things as well.

It is a task not for the feint of heart, and oh so much more easily done by
the hard disc itself. :slight_smile:


The personal opinion of
Gary G. Little

“Peter Scott” wrote in message
news:xxxxx@ntfsd…

Gary,

Actually it is possible, though with lots of work. Writing your own MBR,
having a custom 16 bit ‘app’ which runs from there and decrypts the data,
lots of fun!

Pete

Kernel Drivers
Windows Filesystem and Device Driver Consulting
www.KernelDrivers.com
(303)546-0300

_____

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Wednesday, June 08, 2005 7:47 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Encryptors

Just how do you intend to boot that disk with an encrypted MBR? Expecting a
driver in the storage stack to encrypt and decrypt the entire disc, is
inherently fraught with peril. Any driver for Windows that you write will
always be loaded to late since first the MBR has to be read by the BIOS
which then jumps to a location in the MBR which then loads the OS loader or
NtLoader. But … you encrypted the MBR, so unless the BIOS can decrypt it,
it can’t execute the MBR loader to load the OS.

That’s a classic Catch-22.


The personal opinion of
Gary G. Little

“Amitrajit Banerjee.” wrote in message
news:xxxxx@ntfsd…

Hello ppl,

We are trying to design and develop a full fledged security suite for
computers (x86). Well, one of the modules of this suite would be a set of
tools that will encrypt the entire storage media (HDD in the begining,
opthers later), on a sector by sector basis starting right from the MBR to
the last sector. OFcourse we need to write some drivers for the same. My
query is where exactly in the disk driver stack should we place our driver
to get teh best benifit. Should it reside right above Disk.sys? A lower
filter driver or what?

Please support your answers with a bare minimum of “this is why it should be
done this way…”.

Thanks,

amitr0

Note:-
1) Spelling Mistakes and Grammatical Errors, If Any, Are Regretted.
2) Kindly Acknowledge This Mail At The Earliest.
3) This E-Mail Might contain Confidential information. If You Are Not
Entitled
To View it, Please Delete The Message Immediately And Inform Me.
Thanking You,
Amitrajit Banerjee.

http:


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:>