Kryptel Storage Model
The purpose of this article is to provide information on Kryptel internal data formats for public scrutiny. At least a basic understanding of programming is required.
Kryptel uses two-level storage model: the lower level is encrypted storage implemented by storage handler, and the upper level is Kryptel file storage implemented by file agent. File storage is based on low-level encrypted storage. A crude analogy is file system implemented on the top of logical drive.
Encrypted storage is a set of nested objects. There is exactly one top-level object, which may (and usually does) contain other objects, which possibly in their turn also contain children objects. Note that the top-level object always exists, even if the storage is empty.
Every object is identified by a 128-bit number. Unlike GUID, that identifier is not necessarily globally unique, but it is guaranteed to be unique between the children of the same parent object.
In addition to object identifier, object can have associated attribute block, and data stream. Both attribute block and data stream are optional. The storage handler interprets neither the contents of the attribute block, nor the data stream; from the handler's point of view they are just some raw data that a higher-level client owns and fully controls.
There is one important difference between attribute block and data stream – attribute block is stored in the container directory, and is resident in memory when the container is open. Data stream never gets read or decrypted without explicit request from the higher-level client. Although storage's client can use attribute block and data stream in any way, the most typical usage is to utilize attribute block for storing small, often referenced, data, while data stream is more suitable for keeping large chunks of rarely needed data. For instance, the Kryptel file agent stores the file name and attributes in the attribute block, and the file contents in the object's data stream.
Note that the presence of associated attributes and/or a data block is what makes the object ‘real’. An object without associated data is nothing more than an abstract container for nested objects (if any present).
Storage handler is responsible for data encryption. A high-level agent stores or retrieves all data in an unencrypted form, and the storage handler transparently encrypts/decrypts them.
Kryptel includes the following storage handlers:
- Kryptel 7 modifiable storage. It is the default handler, which fully supports all Kryptel features.
- Kryptel 6 advanced storage. Kryptel 6 compatibility storage handler.
- FIPS 140-2 -compliant storage. Uses CryptoAPI functions instead of Kryptel encryption components. It does not implement some Kryptel features like recovery blocks or password recognition.
- Kryptel 5 compatibility storage handler. It is used in combination with Kryptel 5 agent.
- Kryptel 3 and 4 compatibility storage handler. It is used in combination with Kryptel 3/4 agent.
File agent uses storage's generic objects for representing all kinds of file system and special objects. The object's attribute block contains the object type identifier (i.e. directory, file, thumbnail, and so on) and object-related data like file attributes or creation time. The object's data stream is used for storing object's data, for instance, the file contents.
Quite obviously, directory object's children objects represent the filesystem objects contained in that file directory. However a file object can also have nested objects (although a typical file object does not). Alternate streams and thumbnails are represented as storage objects, belonging to the correspondent file object.
The topmost object represents the container itself.
Another important type of objects is targets. Each target represents a system folder, which does not have a strictly defined location. For example, the user ‘Documents’ folder has different filesystem paths in different Windows versions (not even mentioning localized Windows). The TARGET_DOCUMENTS target represents that folder, but the specific filesystem path will be determined only during decryption operation, and will be different in different systems.
Targets is a required part of backup container implemented by Kryptel backup agent. Only a target is allowed to be a child object of the root object of a backup container, and it is allowed only there. The structure of backup container is root (container) object, which can have zero or more children target objects, which, in turn, may have any number of children filesystem objects. This structure implements a multiple-root model for backup container – a set of targeted roots, each of them contains any number of files and folders.
The standard Kryptel file agent does not support targets except the pseudo-target TARGET_DEFAULT, which represent the container's root.
Kryptel includes four agents:
- Kryptel 6 and 7 File Agent. The default agent, responsible for handling .edc containers.
- Kryptel 6 and 7 Backup Agent. This agent handles backups and filesets (.ebk and .efs files).
- Kryptel 5 compatibility agent. It is used in combination with Kryptel 5 storage handler.
- Kryptel 3 and 4 compatibility agent. It is used in combination with Kryptel 3/4 storage handler.