AFF Encryption

Release 2.4 of AFFLIB implements AFF pass-phrase encryption. 

Encryption is based on a 256-bit randomly-generated AES key (called
the AFF key). This key is itself encrypted with an AFF passphrase and
stored in its own segment. This strategy allows an AFF image
encryption passphrase to be changed without re-encrypting the entire
disk image.

The AFF passphrase may be specified either as part of the filename or,
in some cases, as an optional argument for some of the AFF commands.
AFF uses RFC 1630 URI syntax to specify encryption
passphrases. Specifically, RFC 1630 allows the file myfile.aff to be
specified as a URI:

	file:///myfile.aff

The passphrase 'mypassphrase' can be added to this URL:

	file://:mypassphrase@/myfile.aff

If you wish to refer to myfile.aff in the root directory, use this
syntax:

	file:////myfile.aff

Because windows interperts the forward and back slashes in the same
manner, this will refer to the file c:\myfile.aff

	file:///c:/myfile.aff



EXAMPLES

To encrypt the AFF file disk.aff, you might use this command:

	afcopy disk.aff  file://:mypassphrase@/disk-encrypted.aff

To image directly to an encrypted AFF file, you might use aimage like
this:

	aimage /dev/hda  file://:mypassphrase@/disk-encrypted.aff


If you want to see the encrypted segments, use this command:

	afinfo -a disk-encrypted.aff

If you want to see the decrypted segments, use this command:

	afinfo -a file://:mypassphrase@/disk-encrypted.aff      

You can change the passphrase on a file using the afcrypto command:

	afcrypto -c disk-encrypted.aff    
	Enter old passphrase: mypassphrase
	Enter new passphrase: newpassphrase

	change passphrase
	passphrase successfully changed.


Please let me know what you think!  A future version of AFF will
support public key encryption as well.

Simson Garfinkel
August 27, 2007
