DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th January 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default Disk encryption

I want Install OpenBSD on external HDD with USB2 connector . and I want encrypt HDD .
I need your advise , For disk encrypt OpenBSD is better or FreeBSD ?
I want put files on it and need great encryption .
thanks
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #2   (View Single Post)  
Old 26th January 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,940
Default

Welcome back.
Quote:
For disk encrypt OpenBSD is better or FreeBSD ? ... I want put files on it and need great encryption
I do not know if these question, as posed, can be answered. Computer users who are not themselves cryptographers or cryptanalysts should select between these choices based entirely on operational needs.
Quote:
I want Install OpenBSD on external HDD...
I want put files on it...
Putting files on an encrypted filesystem does not require booting an encrypted installation. Full-disk-encryption ("FDE") is certainly possible, but may not be necessary.
I have a laptop with an encrypted /home partition - I have no need for FDE on that platform. if I need an encrypted USB stick, I would encrypt it and mount it, without bothering to install the OS onto it.
OpenBSD has two different encrypted filesystem options available today: mount_vnd(8) / vnconfig(8), and softraid(4) devices configured by bioctl(8). The latter can be used for FDE. On OpenBSD, FDE installations require manual steps.

The following list is NOT a "HOWTO." It is a basic set of steps needed to install the OS into drive configured for FDE. It is from memory, without bothering to test.
  1. Boot the RAMDISK Kernel
  2. Select the shell
  3. Make any applicable sd* device nodes needed with MAKEDEV(8).
  4. Configure the MBR with fdisk(8).
  5. Configure the RAID disklabel partition with disklabel(8).
  6. Create softraid/CRYPTO virtual drive with bioctl(8).
  7. Run the install script, installing into the new virtual drive. Both installboot(8) and the second stage bootloader are softraid-aware on i386 and amd64.
Reply With Quote
  #3   (View Single Post)  
Old 26th January 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by jggimi View Post
Welcome back.
I do not know if these question, as posed, can be answered. Computer users who are not themselves cryptographers or cryptanalysts should select between these choices based entirely on operational needs.
Putting files on an encrypted filesystem does not require booting an encrypted installation. Full-disk-encryption ("FDE") is certainly possible, but may not be necessary.
I have a laptop with an encrypted /home partition - I have no need for FDE on that platform. if I need an encrypted USB stick, I would encrypt it and mount it, without bothering to install the OS onto it.
OpenBSD has two different encrypted filesystem options available today: mount_vnd(8) / vnconfig(8), and softraid(4) devices configured by bioctl(8). The latter can be used for FDE. On OpenBSD, FDE installations require manual steps.

The following list is NOT a "HOWTO." It is a basic set of steps needed to install the OS into drive configured for FDE. It is from memory, without bothering to test.
  1. Boot the RAMDISK Kernel
  2. Select the shell
  3. Make any applicable sd* device nodes needed with MAKEDEV(8).
  4. Configure the MBR with fdisk(8).
  5. Configure the RAID disklabel partition with disklabel(8).
  6. Create softraid/CRYPTO virtual drive with bioctl(8).
  7. Run the install script, installing into the new virtual drive. Both installboot(8) and the second stage bootloader are softraid-aware on i386 and amd64.
thanks
I need full encrypt disk
I think encryption in OpenBSD is better than FreeBSD
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #4   (View Single Post)  
Old 26th January 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,940
Default

Quote:
Originally Posted by mfaridi View Post
I think encryption in OpenBSD is better than FreeBSD
Why? I ask, because I do not know the answer myself.

I know that softraid uses AES-XTS 128 and 256, because I looked in the source code and noticed it. But I do not know if FreeBSD uses the same cryptographic primitives, because I do not use FreeBSD and have not done the research. It might. But even if they both used AES-XTS, I would not be able to tell you if one of the OSes implemented that primitive in a way that is "better" than the other. That is because implementation of cryptographic primitives in a functional system requires knowledge that I lack.

Last edited by jggimi; 26th January 2015 at 08:04 PM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 26th January 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by jggimi View Post
Why? I ask, because I do not know the answer myself.

I know that softraid uses AES-XTS 128 and 256, because I looked in the source code and noticed it. But I do not know if FreeBSD uses the same cryptographic primitives, because I do not use FreeBSD and have not done the research. It might. But even if they both used AES-XTS, I would not be able to tell you if one of the OSes implemented that primitive in a way that is "better" than the other. That is because implementation of cryptographic primitives in a functional system requires knowledge that I lack.
thanks
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #6   (View Single Post)  
Old 26th January 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,940
Default

Even with the source code in front of me and with the aid of this diagram (courtesy of Wikipedia), I would not be able to tell you if there are any flaws in the OpenBSD implementation of AES-XTS, nor if there are any flaws in how the CRYPTO discipline uses these primitives to provide an encrypted virtual device
Reply With Quote
  #7   (View Single Post)  
Old 28th January 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by jggimi View Post
Even with the source code in front of me and with the aid of this diagram (courtesy of Wikipedia), I would not be able to tell you if there are any flaws in the OpenBSD implementation of AES-XTS, nor if there are any flaws in how the CRYPTO discipline uses these primitives to provide an encrypted virtual device
Thanks
Thanks
if I encrypt my HDD with strong pass . can someone access to my data , when nobody do not have my pass . if someone attach my HDD to another system . can access to my data ?
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #8   (View Single Post)  
Old 28th January 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,276
Default

Quote:
Originally Posted by mfaridi View Post
If I encrypt my HDD with strong pass . can someone access to my data , when nobody do not have my pass .
No, however it would be better to use a passphrase of multiple words as opposed to single word password.

Last edited by ocicat; 28th January 2015 at 08:04 PM. Reason: Missing adverb
Reply With Quote
  #9   (View Single Post)  
Old 28th January 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,940
Default

Before I address your question directly, let us return to AES-XTS, the cipher mentioned above. Wikipedia says:
Quote:
XTS is supported by BestCrypt, dm-crypt, FreeOTFE, TrueCrypt, DiskCryptor, FreeBSD's geli, OpenBSD softraid disk encryption software, and Mac OS X Lion's FileVault 2.
So both FreeBSD and OpenBSd use the same crypto primitive. Implementations differ, but with the same plaintext and the same keys, if the algorithm is deployed correctly and with the same options, both OSes should produce the same ciphertext. The bits on the disk will be the same.

Now, to your question, which is multi-part. First, your password / passphrase / key:
Quote:
...when nobody do not have my pass...
Because passwords and passphrases use text (ASCII or UTF-8), they are generally poor choices when used as keys. They can be attacked by "brute force" methods, or methods combined with "dictionary attacks". This weakness is inherent in human-readable / human-understandable keys. It is a separate issue from that of the the cipher that is used.

Both FreeBSD and OpenBSD offer password/passphrase options for generating keys that are used by the AES-XTS cipher. OpenBSD can use a key file (typically read from a USB stick) and while I have not checked FreeBSD's capabilities, I'm sure they offer something similar. A key file is not a password or a passphrase, but a fairly random collection of bits ... sometimes, thousands of bits long.

So the attacker can either attack keys, or attack the cipher itself. Passwords are easy to attack, passphrases can be attacked as well, they are just longer passwords.
Quote:
...can someone access to my data...
I cannot answer whether AES-XTS is a "good" cipher, because I am not a cryptographer. And I've already mentioned that implementations may have weaknesses, even if the primitive does not. But regardless whether you choose FreeBSD or OpenBSD, the cipher itself should be the same. And, attacking the key is far, far easier than attacking the cipher. There is a famous cartoon about attacking the password when the cipher cannot be easily broken: http://xkcd.com/538/

I hope this information has helped.

Last edited by jggimi; 28th January 2015 at 07:52 PM. Reason: typo, clarity
Reply With Quote
Old 28th January 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by jggimi View Post
Before I address your question directly, let us return to AES-XTS, the cipher mentioned above. Wikipedia says:So both FreeBSD and OpenBSd use the same crypto primitive. Implementations differ, but with the same plaintext and the same keys, if the algorithm is deployed correctly and with the same options, both OSes should produce the same ciphertext. The bits on the disk will be the same.

Now, to your question, which is multi-part. First, your password / passphrase / key:Because passwords and passphrases use text (ASCII or UTF-8), they are generally poor choices when used as keys. They can be attacked by "brute force" methods, or methods combined with "dictionary attacks". This weakness is inherent in human-readable / human-understandable keys. It is a separate issue from that of the the cipher that is used.

Both FreeBSD and OpenBSD offer password/passphrase options for generating keys that are used by the AES-XTS cipher. OpenBSD can use a key file (typically read from a USB stick) and while I have not checked FreeBSD's capabilities, I'm sure they offer something similar. A key file is not a password or a passphrase, but a fairly random collection of bits ... sometimes, thousands of bits long.

So the attacker can either attack keys, or attack the cipher itself. Passwords are easy to attack, passphrases can be attacked as well, they are just longer passwords.

I cannot answer whether AES-XTS is a "good" cipher, because I am not a cryptographer. And I've already mentioned that implementations may have weaknesses, even if the primitive does not. But regardless whether you choose FreeBSD or OpenBSD, the cipher itself should be the same. And, attacking the key is far, far easier than attacking the cipher. There is a famous cartoon about attacking the password when the cipher cannot be easily broken: http://xkcd.com/538/

I hope this information has helped.
thanks thanks
why I can not find thanks option ??
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Old 28th January 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,276
Default

Quote:
Originally Posted by mfaridi View Post
why I can not find thanks option ??
http://daemonforums.org/showthread.p...2166#post52166
Reply With Quote
Old 2nd March 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,940
Default

mfaridi, I'm replying to this thread from January in order to point you to a conversation on the misc@ mailing list about disk encryption implementations. It's a discussion of how this primitive has been implemented in softraid, and includes a discussion of the Blowfish CBC cipher used with vnconfig.

It's active and ongoing: http://marc.info/?t=142524598900005&r=1&w=2
Reply With Quote
Old 2nd March 2015
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by jggimi View Post
mfaridi, I'm replying to this thread from January in order to point you to a conversation on the misc@ mailing list about disk encryption implementations. It's a discussion of how this primitive has been implemented in softraid, and includes a discussion of the Blowfish CBC cipher used with vnconfig.

It's active and ongoing: http://marc.info/?t=142524598900005&r=1&w=2
Thanks my friend
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
whole disk encryption 22decembre OpenBSD Security 6 5th January 2015 09:23 AM
Reliability concerns on full disk encryption virtuvoos OpenBSD Security 4 31st October 2013 11:06 PM
FreeNAS 8.3.1 introduces full disk ZFS encryption J65nko News 0 22nd March 2013 02:54 AM
Security: Encryption: Disk Encryption eurovive Other BSD and UNIX/UNIX-like 17 6th March 2010 04:09 AM
Full disk encryption with Loop-AES deviant085 OpenBSD Security 9 23rd November 2009 12:51 AM


All times are GMT. The time now is 11:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick