Encrypted partition format
Encrypted DiskCryptor partition does not have visible signatures or any other identifiable data. Without knowing the proper password it is indistinguishable from random numbers, and the structure of the partition can only be discovered by providing right password.
Encrypted partition has the housekeeping data area (volume header) that is followed by the user data.
Volume header
The first 2048 bytes of the partition are occupied by volume header. It contains the information about partition and keys to all user data. Volume header is encrypted with a chosen cryptographic algorithm in XTS mode, with a key derived from a user\'s password. User data that has been residing in the first 2048 bytes of a partition is moved to a relocation area, which is a contiguous sequence of sectors in user area (please read details below). Volume header does not have visible signatures, and without knowing the correct password is indistinguishable from random numbers.
Volume header format
typedef struct _dc_header {
u8 salt[PKCS5_SALT_SIZE]; /* pkcs5.2 salt */
u32 sign; /* signature 'DCRP' */
u32 hdr_crc; /* crc32 of decrypted volume header */
u16 version; /* volume format version */
u32 flags; /* volume flags */
u32 disk_id; /* unique volume identifier */
int alg_1; /* crypt algo 1 */
u8 key_1[DISKKEY_SIZE]; /* crypt key 1 */
int alg_2; /* crypt algo 2 */
u8 key_2[DISKKEY_SIZE]; /* crypt key 2 */
u64 stor_off; /* temporary storage offset */
u64 use_size; /* user available volume size */
u64 tmp_size; /* temporary part size */
u8 tmp_wp_mode; /* data wipe mode */
u8 reserved[1422 - 1];
} dc_header;| Offset | Size | Encryption | Description |
|---|---|---|---|
| 0 | 64 | No | Salt. Random number used when deriving volume header key. |
| 64 | 4 | Yes | DiskCryptor volume signature. Has the value of 0x50524344 (ascii \'DCRP\'). |
| 68 | 4 | Yes | CRC32 of the remaining part of the header (bytes 72-2047). |
| 72 | 2 | Yes | Header format version. Has the value of 1 for DiskCryptor 0.5 volumes. |
| 74 | 4 | Yes | Volume flags. Used for indicating volume\'s state. |
| 78 | 4 | Yes | Unique volume identifier. Used to search for a partition when choosing to boot from the specified partition. |
| 82 | 4 | Yes | Identifier of a main cryptoalgorithm, with which partition is encrypted. |
| 86 | 256 | Yes | Main encryption key of user data on a volume. |
| 342 | 4 | Yes | Identifier of an additional cryptoalgorithm, with which partition is encrypted. Indicates about a previously used cryptoalgorithm on re-encryption. |
| 346 | 256 | Yes | Additional encryption key of user data on a volume. Used for storing the previous key on re-encryption. |
| 602 | 8 | Yes | Offset in user data area, by which the first 2048 bytes of partition data have been relocated. |
| 610 | 8 | Yes | Size of a user data area. |
| 618 | 8 | Yes | Size of the encrypted area. Present only in a partially encrypted state. |
| 626 | 1 | Yes | Partition wipe mode used on encryption. Present only in a partially encrypted state. |
| 627 | 1421 | Yes | Reserved. Zero-filled. |
Relocation area
Relocation area - is a contiguous sequence of sectors where the first 2048 bytes of partition are stored.
Currently there are two methods of placement of this area that are being used: in $dcsys$ file, or at the end of partition. On encryption of partition that has data on it, this area is being placed in $dcsys$file, which is located in a contiguous sequence of clusters. On formatting a new partition, this area is being placed at the end of partition, after user data.
In order to protect the $dcsys$ file from being deleted, fragmented or moved, its access is forbidden by the driver.