Current Page Contents
1 Introduction
If you have read through previous sections, you will have found out how DOS works
to a very low level. You will also have learned quite a lot about choosing a secure
encryption algorithm and random number generator.
Now is the time to put the whole lot into practice to develop your own extremely secure filing system ;)
We will be taking a look at all stages that need to be considered to enable you to do this with ultimate security in mind.
For example, do you use a different PC and put DOS only on it, or do you put a new hard drive in your system to act as a secondary drive to Windows or Linux ?
My personal opinion is that you are better off keeping a separate PC to hold any sensitive data that needs to be encrypted. It is a bit inconvenient. However, it's all a matter of how sensitive your data is. If it's sensitive enough to cause you to lose your freedom, then it certainly needs to go onto a separate system with it's own hardware booby traps to obliterate the hard disk should the system fall into the wrong hands.
If you want to implement anything in Part 5 of this section, you certainly don't want your Windows or Linux hard drive getting its data destroyed at the same time as you lose your sensitive data should your computer fall into the hands of the authorities ;)
After all, you can pick up a cheap second hand PC that will run DOS for about £30 if money is really tight. I bought an old 486DX66 for £25 recently at a car boot sale, which is more than adequate for DOS. The encryption and decryption takes a while, but I just switch the system on and go away to make a cup of coffee until it boots up and decrypts the Filing System.
Networking is easy under DOS, so by purchasing a cheap network card you can quite easily link the DOS machine to any other system to transfer information back and forth.
Microsoft's MSClient 3.0 for DOS is available for free from Microsoft's ftp site, this will quite easily allow DOS to talk to Windows (95/98/NT/2000) and Linux.
I say IDE as the routines I have written have not been tested on non IDE drives, and DOS often has problems with non IDE drives.
Don't worry about size and DOS limitations as we will be creating a DOS partition which has ample space for DOS, and can be recognised easily by DOS. The rest will be your encrypted partition. You don't need to worry about DOS being able to access this as we will be developing the code to do this.
If you do decide to put a second hard drive in your existing computer to co-exist with your current operating system(s), you need to consider exactly how you want to do this, especially if you want your other operating system(s) to be able to access the DOS drive and whether you want your DOS drive to be able to access your other operating system(s) drive.
I wont bother filling up this web site with dual and triple boot procedures as there are many FAQ's out there for all operating systems that show you how to do this.
The Links Section has pointers to various FAQ's for dual and triple boot procedures.
If you need a little help with a particular solution, feel free to send me an email.
I'm going to assume that you don't want your DOS drive to be able to access your current operating system(s). This is the easiest route to take. If you take this route, you will still be able to access your DOS partition from your current operating system(s) to transfer sensitive data backwards and forwards if you want.
You will need to be able to boot your DOS drive to use the encryption and filing system methods I have developed, but this can be accomplished easily by two means.
Most current PC's have a multi boot option in the BIOS, so when you switch on your PC, hit delete to enter the BIOS and select the DOS drive number. If you don't have this option in your BIOS, just boot from a DOS floppy and access your DOS drive directly.
If you want to use your DOS drive often to access encrypted information this is a bit inconvenient, so you really need to consider reading up on the dual boot FAQ's for your current operating system.
Put your new hard drive in the PC, configured as the master then reboot your PC and hit the BIOS key (delete), then auto detect the hard drive. Reboot again with the first DOS disk in drive A and follow the instructions for installing DOS. When FDISK asks you if you want all of the drive for DOS, say no.
Assuming you don't have the need for any specialist programs, then all you will need is space for DOS, a C compiler, an Assembler, a decent text editor and a spreadsheet.
There are plenty of free C compilers/Assemblers available. I use the DJGPP package. Borland have also released version one of TurboC for DOS as freeware. Similarly, there are free programmers editors and spreadsheets around. A spreadsheet is ideal for analysing keys for randomness. The Links section has a few sites to point you in the right direction.
Say about 120MB maximum will be needed. As most recent hard drives come in GB sizes, then reserve say 256MB as the primary partition for DOS to ensure you have plenty of space to add other programs if you need them. I specifically mention 256MB as this allows plenty of space, but keeps the cluster size down to 4KB....a reasonable compromise for most DOS systems.
Leave the rest free for your own encrypted partition.
Once you have installed DOS, put your original hard disk back in as the primary, and the DOS drive as the slave. Reboot the PC and go back into the BIOS to perform the auto hard drive detect again so your original operating system is the primary boot drive.
If you want the dual or triple boot facility, you now need to run the appropriate setup program (eg LILO if you use Linux) from your primary operating system to enable this. You should be able to get this information from a relevant FAQ. As I have said before, feel free to email me if you need help with a particular solution.
I'm assuming you have setup your DOS partition and have left the rest of the drive free and unformatted to allow you to develop your encrypted partition from scratch.
This section is intended to act as a stimulant to enable you to think for yourself as to how you can develop your own filing system standard that obviously wont be known to anyone other than yourself, thus making it extremely difficult for any authority to even find any files on your system, let alone decrypt them ;)
To refresh your memory, DOS uses a root directory structure and a File Allocation Table to track every file on your hard drive. As the format of this is well known, we need to consider other methods to ensure your files can't even be found on your hard drive ;)
DOS uses it's own system area to store these tables in contiguous sectors, which we definitely don't want to do as it makes it easier for the authorities to concentrate on decrypting your new filing system.
Be creative when choosing where your filing system resides on disk. For example, you could use a random number generator to choose the sectors where the filing system will reside !
This is the approach we will be looking at in the Examples section.
You could also use additional hardware (eg a dongle or plug in card etc) to control access to your filing system. I've designed quite a few add on cards to do this, however, the cost of these are prohibitive for private individuals as I get them manufactured in batches of around ten or so and the gold plated contacts push up the price a bit for small volume production. It's well worth the price to commercial organisations though !
Sorry, but I wont be publishing circuit diagrams or PCB layouts for any of the designs as that's part of the way I earn my living now :)
Also, you might want to consider using a floppy disk to hold your filing system details, without which the authorities could not access your drive ;)
You might also want to consider creating a filing system that does not store file dates and times, without which makes it all the more difficult for any authority to take action against you :)
DOS stores files in contiguous cylinders when it gets the chance to avoid file fragmentation. This is another concept we don't want to use as it makes it easy for the authorities to piece files together. We shouldn't be bothered if our files are fragmented....in fact we should plan to ensure they are fragmented to make it difficult to find them !
OK, this puts a bit of a burden on the PC as it has to rearrange file sectors before it can display them, but we want the ultimate in security and therefore should be prepared to put up with a slightly slower system.
Hopefully this part gives food for thought. Take a look at the Examples section for an idea of what you can do.
Don't follow it blindly as it is obviously now in the public domain, but use it (along with your own imagination) to plan your own system from scratch :)
A decent self designed filing system should secure your sensitive data from prying eyes for the rest of your life !
Even though your files have been encrypted, and you have developed your own filing system from scratch, you can take things one stage further by encrypting your filing system itself ;)
Given that the authorities wont have much chance of finding files on your own system as you developed it yourself, you can make sure they can't by encrypting your own filing system !
Once again, the way you choose to do this is only limited by your imagination, but take a look at the Examples section to see what is possible.
If not, then go back and read it !
It is up to you as to which algorithms you choose. I recommend you use a one time pad to encrypt your filing system, with the key being stored on a floppy disk or some other removable media.
The advantage of holding important keys only on a floppy is that you've always got time to destroy it should you get an early morning waking call ;)
You can also leave backup (encrypted obviously) copies at locations where they wont be found !
I also recommend you use Blowfish for file encryption as it is arguably one of the most secure private key systems around.
That's my own personal choice....the final decision is up to you !
Take a look at the Examples section to see how easy it is to do this yourself :)
But you can make sure your hard disk is rendered unreadable should it fall into the wrong hands.
By adding a bit of hardware to your PC, you can easily put together an electromagnetic pulse generator of sufficient strength to completely scramble the entire contents of your hard drive should your PC fall into the wrong hands.
Before you read through the rest of this section, read the following warnings and disclaimer very carefully as I will not be held responsible for anything at all that goes wrong.
I wont be publishing any circuit diagrams for this as I am currently negotiating a commercial deal for the design. However, there's enough in the above diagram and following descriptions for anyone who has an interest in electronics to come up with their own working system. The only part that's not available already commercially is the EM pulse unit, but you can find details on EM generation from many web sites.
Parts 1,2,3,4,6 and 7 are all typical features you would find in such an alarm system.
We will actually be using an intruder alarm to develop our own Auto Hard Drive Data Destruction System with the addition of a new module called the EM Pulse Unit.
This additional unit will be triggered in the same way as an intruder alarm fires the siren, and will scramble the contents of your hard drive should someone try to operate your PC, or even move it, or open up the case to remove a hard drive without your consent ;)
Bye bye goes all that sensitive data that might fall into the wrong hands :)))
Make sure you keep encrypted backups in secure locations though, otherwise you will have lost your data completely should this happen.
There are many other methods that can be used for this including tilt switches and acceleration sensors etc.
To ensure your data remains safe, use a combination. The tilt switch is particularly effective in combination with the acceleration sensor as anyone removing your PC will have to pick it up ;)
The contact switch and optical level switch act as safeguards should someone try to remove the case on your PC to extract your hard drives without attempting to pick up your PC.
As soon as this has happened, information on the hard disk will not be able to be recovered by any expert in any field.
You also need to be able to access the mains supply as it comes into the PC in order to provide a feed for the charger unit.
If you don't fancy designing your own, you can buy most of the parts ready built from various companies (Maplins, RS Components etc). There are plenty of designs on various web sites for EM generators.
Now is the time to put the whole lot into practice to develop your own extremely secure filing system ;)
We will be taking a look at all stages that need to be considered to enable you to do this with ultimate security in mind.
2 Planning Your DOS Installation
2.1 Introduction
There are many points you need to consider if you want to install a DOS partition to hold your encrypted files.For example, do you use a different PC and put DOS only on it, or do you put a new hard drive in your system to act as a secondary drive to Windows or Linux ?
My personal opinion is that you are better off keeping a separate PC to hold any sensitive data that needs to be encrypted. It is a bit inconvenient. However, it's all a matter of how sensitive your data is. If it's sensitive enough to cause you to lose your freedom, then it certainly needs to go onto a separate system with it's own hardware booby traps to obliterate the hard disk should the system fall into the wrong hands.
If you want to implement anything in Part 5 of this section, you certainly don't want your Windows or Linux hard drive getting its data destroyed at the same time as you lose your sensitive data should your computer fall into the hands of the authorities ;)
After all, you can pick up a cheap second hand PC that will run DOS for about £30 if money is really tight. I bought an old 486DX66 for £25 recently at a car boot sale, which is more than adequate for DOS. The encryption and decryption takes a while, but I just switch the system on and go away to make a cup of coffee until it boots up and decrypts the Filing System.
Networking is easy under DOS, so by purchasing a cheap network card you can quite easily link the DOS machine to any other system to transfer information back and forth.
Microsoft's MSClient 3.0 for DOS is available for free from Microsoft's ftp site, this will quite easily allow DOS to talk to Windows (95/98/NT/2000) and Linux.
2.2 Choosing a Disk
Choice of hard disk isn't really a problem. Choose the cheapest IDE drive you can lay your hands on, either new or second hand.I say IDE as the routines I have written have not been tested on non IDE drives, and DOS often has problems with non IDE drives.
Don't worry about size and DOS limitations as we will be creating a DOS partition which has ample space for DOS, and can be recognised easily by DOS. The rest will be your encrypted partition. You don't need to worry about DOS being able to access this as we will be developing the code to do this.
2.3 Single, Dual or Triple Boot
As I have mentioned before, I personally recommend using a separate PC to store encrypted data. However, that's not always feasible for many people.If you do decide to put a second hard drive in your existing computer to co-exist with your current operating system(s), you need to consider exactly how you want to do this, especially if you want your other operating system(s) to be able to access the DOS drive and whether you want your DOS drive to be able to access your other operating system(s) drive.
I wont bother filling up this web site with dual and triple boot procedures as there are many FAQ's out there for all operating systems that show you how to do this.
The Links Section has pointers to various FAQ's for dual and triple boot procedures.
If you need a little help with a particular solution, feel free to send me an email.
I'm going to assume that you don't want your DOS drive to be able to access your current operating system(s). This is the easiest route to take. If you take this route, you will still be able to access your DOS partition from your current operating system(s) to transfer sensitive data backwards and forwards if you want.
You will need to be able to boot your DOS drive to use the encryption and filing system methods I have developed, but this can be accomplished easily by two means.
Most current PC's have a multi boot option in the BIOS, so when you switch on your PC, hit delete to enter the BIOS and select the DOS drive number. If you don't have this option in your BIOS, just boot from a DOS floppy and access your DOS drive directly.
If you want to use your DOS drive often to access encrypted information this is a bit inconvenient, so you really need to consider reading up on the dual boot FAQ's for your current operating system.
2.4 Installing DOS on Your New Hard Drive
The most sensible way to install DOS on your new hard disk (assuming you want your DOS drive to co-exist with your primary operating system) is to remove your existing hard disk first to make sure you don't accidentally overwrite your Windows or Linux MBR :)Put your new hard drive in the PC, configured as the master then reboot your PC and hit the BIOS key (delete), then auto detect the hard drive. Reboot again with the first DOS disk in drive A and follow the instructions for installing DOS. When FDISK asks you if you want all of the drive for DOS, say no.
Assuming you don't have the need for any specialist programs, then all you will need is space for DOS, a C compiler, an Assembler, a decent text editor and a spreadsheet.
There are plenty of free C compilers/Assemblers available. I use the DJGPP package. Borland have also released version one of TurboC for DOS as freeware. Similarly, there are free programmers editors and spreadsheets around. A spreadsheet is ideal for analysing keys for randomness. The Links section has a few sites to point you in the right direction.
Say about 120MB maximum will be needed. As most recent hard drives come in GB sizes, then reserve say 256MB as the primary partition for DOS to ensure you have plenty of space to add other programs if you need them. I specifically mention 256MB as this allows plenty of space, but keeps the cluster size down to 4KB....a reasonable compromise for most DOS systems.
Leave the rest free for your own encrypted partition.
Once you have installed DOS, put your original hard disk back in as the primary, and the DOS drive as the slave. Reboot the PC and go back into the BIOS to perform the auto hard drive detect again so your original operating system is the primary boot drive.
If you want the dual or triple boot facility, you now need to run the appropriate setup program (eg LILO if you use Linux) from your primary operating system to enable this. You should be able to get this information from a relevant FAQ. As I have said before, feel free to email me if you need help with a particular solution.
3 Planning Your Encrypted Partition
3.1 Introduction
OK, so finally we get down to discussing how to develop your own secure filing system.I'm assuming you have setup your DOS partition and have left the rest of the drive free and unformatted to allow you to develop your encrypted partition from scratch.
This section is intended to act as a stimulant to enable you to think for yourself as to how you can develop your own filing system standard that obviously wont be known to anyone other than yourself, thus making it extremely difficult for any authority to even find any files on your system, let alone decrypt them ;)
3.2 Planning Your Filing System Structure
OK. If you have read through the Disk Structure section, you will have a basic understanding of what you need to consider to develop your own filing system.To refresh your memory, DOS uses a root directory structure and a File Allocation Table to track every file on your hard drive. As the format of this is well known, we need to consider other methods to ensure your files can't even be found on your hard drive ;)
DOS uses it's own system area to store these tables in contiguous sectors, which we definitely don't want to do as it makes it easier for the authorities to concentrate on decrypting your new filing system.
Be creative when choosing where your filing system resides on disk. For example, you could use a random number generator to choose the sectors where the filing system will reside !
This is the approach we will be looking at in the Examples section.
You could also use additional hardware (eg a dongle or plug in card etc) to control access to your filing system. I've designed quite a few add on cards to do this, however, the cost of these are prohibitive for private individuals as I get them manufactured in batches of around ten or so and the gold plated contacts push up the price a bit for small volume production. It's well worth the price to commercial organisations though !
Sorry, but I wont be publishing circuit diagrams or PCB layouts for any of the designs as that's part of the way I earn my living now :)
Also, you might want to consider using a floppy disk to hold your filing system details, without which the authorities could not access your drive ;)
You might also want to consider creating a filing system that does not store file dates and times, without which makes it all the more difficult for any authority to take action against you :)
DOS stores files in contiguous cylinders when it gets the chance to avoid file fragmentation. This is another concept we don't want to use as it makes it easy for the authorities to piece files together. We shouldn't be bothered if our files are fragmented....in fact we should plan to ensure they are fragmented to make it difficult to find them !
OK, this puts a bit of a burden on the PC as it has to rearrange file sectors before it can display them, but we want the ultimate in security and therefore should be prepared to put up with a slightly slower system.
Hopefully this part gives food for thought. Take a look at the Examples section for an idea of what you can do.
Don't follow it blindly as it is obviously now in the public domain, but use it (along with your own imagination) to plan your own system from scratch :)
A decent self designed filing system should secure your sensitive data from prying eyes for the rest of your life !
3.3 File, or File and Filing System Encryption
OK, you've planned your own filing system structure and have chosen an algorithm to encrypt all of your files.Even though your files have been encrypted, and you have developed your own filing system from scratch, you can take things one stage further by encrypting your filing system itself ;)
Given that the authorities wont have much chance of finding files on your own system as you developed it yourself, you can make sure they can't by encrypting your own filing system !
Once again, the way you choose to do this is only limited by your imagination, but take a look at the Examples section to see what is possible.
4 Choosing Encryption Algorithms
Hopefully by the time you have got to this part you will have read the Algorithms section.If not, then go back and read it !
It is up to you as to which algorithms you choose. I recommend you use a one time pad to encrypt your filing system, with the key being stored on a floppy disk or some other removable media.
The advantage of holding important keys only on a floppy is that you've always got time to destroy it should you get an early morning waking call ;)
You can also leave backup (encrypted obviously) copies at locations where they wont be found !
I also recommend you use Blowfish for file encryption as it is arguably one of the most secure private key systems around.
That's my own personal choice....the final decision is up to you !
Take a look at the Examples section to see how easy it is to do this yourself :)
5 Auto Hard Drive Data Destruction
5.1 Introduction
OK, so this sounds like something out of Star Wars...But you can make sure your hard disk is rendered unreadable should it fall into the wrong hands.
By adding a bit of hardware to your PC, you can easily put together an electromagnetic pulse generator of sufficient strength to completely scramble the entire contents of your hard drive should your PC fall into the wrong hands.
Before you read through the rest of this section, read the following warnings and disclaimer very carefully as I will not be held responsible for anything at all that goes wrong.
| 1 | The author will not be held responsible for damage to equipment by any use of ideas presented within this section, under any jurisdiction. |
| 2 | The author will not be held responsible for injury or death by any use of ideas presented within this section, under any jurisdiction. |
| 3 | Magnetic and electrical fields generated by ideas discussed in this section can cause pacemakers to malfunction. |
| 4 | The author will not be held responsible for data loss by any use of ideas presented within this section, under any jurisdiction. |
| 5 | The author will not be held responsible for actions of others using information presented in this guide for illegal purposes under any jurisdiction. |
| 6 | The author will not be held responsible for data remaining readable on a hard drive by any use of ideas presented within this section under any jurisdiction. |
| 7 | In short, the author presents all information for discussion purposes only, and not for practical purposes. |
5.2 Overview
OK. Take a look at the following block diagram, then read the accompanying description, and following sections to find out how it can be done.
 |
I wont be publishing any circuit diagrams for this as I am currently negotiating a commercial deal for the design. However, there's enough in the above diagram and following descriptions for anyone who has an interest in electronics to come up with their own working system. The only part that's not available already commercially is the EM pulse unit, but you can find details on EM generation from many web sites.
5.3 General
OK, taking a look at the above diagram, it is apparent that it is similar to a house or car intruder alarm.Parts 1,2,3,4,6 and 7 are all typical features you would find in such an alarm system.
We will actually be using an intruder alarm to develop our own Auto Hard Drive Data Destruction System with the addition of a new module called the EM Pulse Unit.
This additional unit will be triggered in the same way as an intruder alarm fires the siren, and will scramble the contents of your hard drive should someone try to operate your PC, or even move it, or open up the case to remove a hard drive without your consent ;)
Bye bye goes all that sensitive data that might fall into the wrong hands :)))
Make sure you keep encrypted backups in secure locations though, otherwise you will have lost your data completely should this happen.
5.4 Sensor Unit (1)
The sensor unit protects your PC against unauthorised entry to remove the hard drive. It can be as simple as a contact switch that opens as soon as the PC case is removed, or can be more sophisticated in the form of light level changes within the PC case thus signifying the opening of the case.There are many other methods that can be used for this including tilt switches and acceleration sensors etc.
To ensure your data remains safe, use a combination. The tilt switch is particularly effective in combination with the acceleration sensor as anyone removing your PC will have to pick it up ;)
The contact switch and optical level switch act as safeguards should someone try to remove the case on your PC to extract your hard drives without attempting to pick up your PC.
5.5 Control Unit (2)
The control unit is the heart of the system. It continuously monitors the sensor unit(s) and triggers the speaker/sounder unit and also the EM pulse unit should it detect unauthorised movement or entry to the PC.5.6 Speaker/Sounder Unit (3)
The speaker/sounder unit provides audible feedback as to whether the system is armed or disarmed. It also provides a warning when the system has been disturbed by unauthorised personnel (signifying that the hard disks in the system have now been scrambled).5.7 Remote Control Unit (4)
The remote control unit allows arming/disarming of the system. For example, should you wish to move your PC, or remove the case to add a new video card etc, you should disarm the system first, then arm it as soon as you have finished.5.8 EM Pulse Unit (5)
The EM pulse unit is triggered by the control unit on unauthorised movement of, or entry to the PC case. Once this has been triggered, it generates an extremely fast, short lasting electromagnetic pulse of sufficient intensity to scramble the contents of the hard disk.As soon as this has happened, information on the hard disk will not be able to be recovered by any expert in any field.
5.9 Battery (6)
The battery is needed to ensure the system works even after you have switched off your PC. A small 12V sealed lead acid unit is ideal for this.5.10 Charger Unit (7)
The charger unit tops up the battery all the time you have the PC connected to the mains supply.5.11 Practicalities
You need two free 5.25 inch drive bays to be able to fit everything into your PC. This probably means you will have to use a full tower case if you want to implement ideas in this section.You also need to be able to access the mains supply as it comes into the PC in order to provide a feed for the charger unit.
If you don't fancy designing your own, you can buy most of the parts ready built from various companies (Maplins, RS Components etc). There are plenty of designs on various web sites for EM generators.