is there a way to detect if a drive has encryption already by script/code etc?

[oROEchimaru]

issue: 3rd party solutions for encryption in the enterprise often want "their encryption" on the drive. If the drive already has encryption it may try to re-encrypt with the 3rd party solution that could damage the drive (or androind, iphone that is encrypted already).

various vendor solutions: trust the pid/vid ids of the device. However this whitelists all devices with that pid/vid, even those that do not have encryption. For instance a western digital external drive may have encryption. The user could format it, remove encryption and now has a trusted device that no longer requires encryption.

What I would like to review is.... there a command line or way for a program to detect that the device has 128 or 256 encryption already > therefore trust it due to having encryption not from vid/pid.

Then I could pass it on to developers. Thanks!

 

[devman]

There is no way to do this as a general solution. For a properly implemented cryptosystem there is no way to look at arbitrary data and discriminate between ciphertext or random junk, much less how that ciphertext was encrypted.

You could write various strategies to detect individual vendors on disk formats and then read the appropriate metadata. For instance LUKS has a specific partition header that identifies the partition as being encrypted and how it has been encrypted. You'll just have to do that all possible types (or at least the ones you care about) of metadata for encrypted containers.

 

[oROEchimaru]

ugg ! thanks devman

 

[dandragonrage]

The only use for hardware encryption built into the disks themselves is for secure erase capability where you change the key within the drive and your data becomes relatively safely erased - though personally I'd still recommend wiping those drives beforehand for even more security.

Some drives come with encryption SOFTWARE on them but it does nothing unless you actually set it up and none of it is likely to be good.

The only sorts of encryption I'd trust are filesystem/OS-level encryption like BitLocker and ZFS encryption, application-level encryption (as long as you're using it within its indended purposes), and MAYBE TrueCrypt or its supposedly-improved fork VeraCrypt. Probably not TrueCrypt or VeraCrypt for enterprise usage, at least at this time.

Encryption is definitely something a system administrator will need to know about and set up. It is not something where you just buy some drive that is "already encrypted" and call it a day.

 

[oROEchimaru]

thanks.

 

[TCM2]

Just ignore any encryption on the drive itself and do your own in software.

Thanks to the terrorist organization called NSA, any blackbox encryption is tainted and cannot be trusted.

 

[ie4EeyooCh]

There is no way to do this as a general solution. For a properly implemented cryptosystem there is no way to look at arbitrary data and discriminate between ciphertext or random junk, much less how that ciphertext was encrypted.

You could write various strategies to detect individual vendors on disk formats and then read the appropriate metadata. For instance LUKS has a specific partition header that identifies the partition as being encrypted and how it has been encrypted. You'll just have to do that all possible types (or at least the ones you care about) of metadata for encrypted containers.

Assuming software encryption because some hardware encryption might be transparent to the user and OS

Although you are correct that random data and a good cipher should have the same level of entropy and look equally random, this is not necessarily important: most data you store on your drive does not look like random data at all but has pattern. This can be leveraged to differentiate between encrypted and plaintext drives to some degree.

However, the probably easiest way to see if a disk is encrypted would be:
1. Scan the partition table
2. Try to mount a partition. If it works, the partition is not software encrypted (but might be transparently hardware encrypted). If if it fails, then partition is either from a different filesystem format (which you can just try in the same way), it is broken (at which point one of the tools you use to mount it should tell you it needs to be fsck), or it might be encrypted.

Note that this is not a definitive answer, but it should work well for most cases.

 

[Carnage-]

Best option: encrypt the data with your own software* before writing it to a drive, it doesn't matter what happens after this point, your data is still secure no matter what the drive does.

*Cryptography is HARD don't so it yourself, use a tried and tested library eg openSSL to do it for you and keep it up to date.