DOS disk encryptor

[Eric Blossom <eb@well.sf.ca.us>]

Ryan,
 
Good luck on building the DOS disk encryptor.  I belive that what you 
need to do is write a standard DOS disk driver (that can be installed in 
CONFIG.SYS) that implements the READ and WRITE primitives.  I belive 
that they use the same entry point (the STRATEGY entry) in the driver.  
You would basically just call the BIOS routines to do the actual i/o.  
 
You don't have to worry about the FAT etc, just encrypt everything.  You 
will probably want to use DES or IDEA and run it in CBC mode or Counter 
Mode.  You would use the DISK BLOCK NUMBER as a piece of the key 
material (or part of the Initialization Vector), hence, even if the same 
data appeared multiple places on the drive, it would appear different on 
the surface.  There is a good description of operation modes in "Modern 
Cryptology: a Tutorial" by Gilles Brassard (Springer Verlag Lecture 
Notes in Computer Science #325, 1988).  Denning's book covers it too.
 
I'd probably start out getting it running on a floppy.  After that, just 
use a separate partition to make life easier.  The driver is handed 
physical (or logical) block numbers, and these map directly to the 
physical drive block number by adding the offset of the beginning of 
partition.  At driver init time, you read the partition table on the 
hard disk, looking for a "system type" that identifies the partition as 
one of your encrypted ones.  Prompt for the pass phrase, and store it in 
the driver.  I assume that your concern is somebody physically grabbing 
the disk drive.  I don't have a problem with the pass phrase in memory, 
as long I have physical control of the system.
 
In some of the DOS references, there used to be a sample RAM DISK device 
driver.  You could use it as the skeleton to get the entry points
right, and then just encrypt the block and call the BIOS to do the 
i/o.
 
Have fun,
Eric Blossom