Views
Contents |
[edit] Encrypted partition format
An encrypted DiskCryptor partition does not have visible signatures or any other identifiable data. Without knowing the password, it is indistinguishable from random numbers, and the structure of the partition can only be discovered with the right password, that needs to go with the partition. Encrypted partition has an area of functionary data (volume header), after which user data is being located.
[edit] Volume header
The first 2048 bytes of a partition are occupied by volume header. There, information about the partition and the keys to all user data, are being kept. Volume header is encrypted with a chosen cryptoalgorithm in XTS mode, with the key acquired from the user's password. User data that has been residing in the first 2048 bytes of a partition is moved to a relocation area, which is a contiguous sequence of sectors in user area (please read details below). Volume header does not have visible signatures, and without knowledge of a password is indistinguishable from random numbers.
[edit] Volume header format
typedef struct _dc_header {
u8 salt[PKCS5_SALT_SIZE]; /* pkcs5.2 salt */
u32 sign; /* signature 'DCRP' */
u32 hdr_crc; /* crc32 of decrypted volume header */
u16 version; /* volume format version */
u32 flags; /* volume flags */
u32 disk_id; /* unique volume identifier */
int alg_1; /* crypt algo 1 */
u8 key_1[DISKKEY_SIZE]; /* crypt key 1 */
int alg_2; /* crypt algo 2 */
u8 key_2[DISKKEY_SIZE]; /* crypt key 2 */
u64 stor_off; /* temporary storage offset */
u64 use_size; /* user available volume size */
u64 tmp_size; /* temporary part size */
u8 tmp_wp_mode; /* data wipe mode */
u8 reserved[1422 - 1];
} dc_header;
| Offset | Size | Encryption | Description |
|---|---|---|---|
| 0 | 64 | No | Salt. Random number used on acquiring header's key. |
| 64 | 4 | Yes | DiskCryptor volume signature. Has the value of 0x50524344 (ascii 'DCRP'). |
| 68 | 4 | Yes | CRC32 of the remaining part of a header (bytes 72-2047). |
| 72 | 2 | Yes | Header format version. Has the value of 1 for DiskCryptor 0.5 volumes. |
| 74 | 4 | Yes | Volume flags. Used for indicating volume's state. |
| 78 | 4 | Yes | Unique volume identifier. Used for partition search on choosing a boot from a specified partition. |
| 82 | 4 | Yes | Identifier of a main cryptoalgorithm, with which partition is encrypted. |
| 86 | 256 | Yes | Main key for encryption of user data in a volume. |
| 342 | 4 | Yes | Identifier of an additional cryptoalgorithm, with which partition is encrypted. Indicates about a previously used cryptoalgorithm on re-encryption. |
| 346 | 256 | Yes | Additional key for encryption of user data in a volume. Used for storage of a previous key on re-encryption. |
| 602 | 8 | Yes | Offset in user data area, by which the first 2048 bytes of partition data have been relocated. |
| 610 | 8 | Yes | Size of a user data area. |
| 618 | 8 | Yes | Size of the encrypted area. Present only in a partially encrypted state. |
| 626 | 1 | Yes | Partition wipe mode used on encryption. Present only in a partially encrypted state. |
| 627 | 1421 | Yes | Reserved. Filled with zeroes. |
[edit] Relocation area
Relocation area, - is a contiguous sequence of sectors where the first 2048 bytes of partition are stored. Currently there are two methods of placement of this area that are being used: in $dcsys$ file, or at the end of partition. On encryption of partition that has data on it, this area is being placed in $dcsys$ file, which is located in a contiguous sequence of clusters. On formatting a new partition, this area is being placed at the end of partition, after user data. In order to protect the $dcsys$ file from being deleted, fragmented or moved, its access is being prohibited by the driver.
Links
