Rethinking Block Storage Encryption with Virtual Disks

TL;DR

This paper proposes enhancing virtual disk encryption by adding per-sector metadata to enable randomized IVs and integrity, improving security with manageable performance overheads in distributed block storage systems.

Contribution

It introduces a method to incorporate per-sector metadata in virtual disks, allowing for randomized IVs and integrity, addressing security limitations of standard encryption practices.

Findings

AES-XTS with random IV is feasible with 1-22% overhead

Adding per-sector metadata improves security in virtual disks

Implementation in Ceph RBD demonstrates practical benefits

Abstract

Disk encryption today uses standard encryption methods that are length preserving and do not require storing any additional information with an encrypted disk sector. This significantly simplifies disk encryption management as the disk mapping does not change with encryption. On the other hand, it forces the encryption to be deterministic when data is being overwritten and it disallows integrity mechanisms, thus lowering security guarantees. Moreover, because the most widely used standard encryption methods (like AES-XTS) work at small sub-blocks of no more than 32 bytes, deterministic overwrites form an even greater security risk. Overall, today's standard practice forfeits some security for ease of management and performance considerations. This shortcoming is further amplified in a virtual disk setting that supports versioning and snapshots so that overwritten data remains accessible. In this work, we address these concerns and stipulate that especially with virtual disks, there is motivation and potential to improve security at the expense of a small performance overhead. Specifically, adding per-sector metadata to a virtual disk allows running encryption with a random initialization vector (IV) as well as potentially adding integrity mechanisms. We explore how best to implement additional per-sector information in Ceph RBD, a popular open-source distributed block storage with client-side encryption. We implement and evaluate several approaches and show that one can run AES-XTS encryption with a random IV at a manageable overhead ranging from 1\%--22\%, depending on the IO size.