October 11 2017
I frequently bump into design decisions that require compromises, particularly between security and convenience. Rather than try to wend my way down the middle of the road or bouncing between extremes, I decided it would be better to split CryptDisk into (at least) three different flavors.
CryptDisk Daily is intended for everyday use where the data needs to be protected from accidental loss or theft, but disguising the data or hiding the fact that encryption is used is not necessary. Daily favors convenience over extreme security. It remembers the typical configuration of keys and volumes so it can be restored each day with a single operation. The security of the data is still uncrackable, but there is no effort to hide CryptDisk's presence on the system.
CryptDisk Stealth favors extreme security over convenience, enabling extreme OpSec. It leaves no trace of its presence, can be run from an external thumb drive, and has options to embed the encrypted data into other files to make the data difficult to detect. Stealth provides plausible deniability of the data on the system.
CryptDisk IP is designed to protect the intellectual property of other software applications. A typical target application might be a video game where millions of dollars are spent to produce media IP that is stored in common formats such as PNG, JPG, MP3, and WAV files that are easy to copy and reuse.
The author manages all his files inside a virtual disk, using all the features of the file system (FAT, FAT32, exFAT, NTFS, etc.). The deployment structure can be exactly the same as the development environment. Executables can be run from within the virtual disk. No assets will ever exist outside the virtual disk, nothing is ever copied to the customer's machine except the virtual disk container and the launcher.
CryptDisk IP provides a software API that is linked into the app's loader to create a virtual disk containing all the digital assets the app needs. Only the app's process (and any other processes it launches) can access the virtual disk, the rest of the system can see only the encrypted media file. Once the loader has created the virtual disk, all its contents can be accessed normally -- but only by the app. Only the loader needs to know anything about CryptDisk.
CryptDisk Vault is the ultimate in data security, a physical external USB disk that can be accessed only through the CryptDisk software. Any attempt to read the disk directly fails, preventing any attempt to image the data without authenticating.