DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th November 2009
deviant085 deviant085 is offline
New User
 
Join Date: Nov 2009
Posts: 5
Default Full disk encryption with Loop-AES

Hi all, I was trying to find some information on full disk encryption in openBSD, preferably using Loop-AES. But after a bit of googleing i haven't been able to find much..

Could anyone help me out here?
Reply With Quote
  #2   (View Single Post)  
Old 18th November 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by deviant085 View Post
...I was trying to find some information on full disk encryption in openBSD,
OpenBSD does not support full disk encryption if the system itself resides on the disk. To encrypt select non-root partitions, study the manpages for:Section 14.10 of the FAQ will provide some additional information.

bioctl(8) & softraid(8) also do disk encryption, but heed the warning in bioctl(8)'s manpage stating that it is currently considered experimental.
Quote:
...preferably using Loop-AES.
vnconfig(8) uses Blowfish.

Two very recent threads on encryption can be found in the archives to the official misc@ mailing list:
Reply With Quote
  #3   (View Single Post)  
Old 18th November 2009
deviant085 deviant085 is offline
New User
 
Join Date: Nov 2009
Posts: 5
Default

That you for your quick reply, i will have a look over all of that.
Reply With Quote
  #4   (View Single Post)  
Old 19th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

As a quick pointer ... the barrier to full-disk encryption issue is the root (/) partition. The available solution(s) will likely pivot on whether you can or cannot tolerate an un-encrypted root partition.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #5   (View Single Post)  
Old 20th November 2009
deviant085 deviant085 is offline
New User
 
Join Date: Nov 2009
Posts: 5
Default

I think the way I am going to overcome this issue of not being able to encrypt root is to enable encrypted swap, create an encrypted partition where applications can run in a chrooted environment.

I still have a few things to work out, but I think it should be an acceptable substitution
Reply With Quote
  #6   (View Single Post)  
Old 20th November 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,052
Default

Swap has been encrypted by default since 3.8.
Reply With Quote
  #7   (View Single Post)  
Old 20th November 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default

Quote:
Originally Posted by deviant085 View Post
I think the way I am going ... create an encrypted partition where applications can run in a chrooted environment.
I run AXIGEN (mobile edition w/blackberry push support) post office pretty much as your thinking. I adapted the following guide. http://geektechnique.org/projectlab/...pted-nas-howto (its companion guide: http://geektechnique.org/projectlab/...nas-on-openbsd.)

The guide is now a bit dated as newer o/s techniques are available in 4.5 and 4.6, but I found it useful in its day.

It has worked so well that it has been set and forget ever since.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 20th November 2009 at 06:06 PM.
Reply With Quote
  #8   (View Single Post)  
Old 23rd November 2009
deviant085 deviant085 is offline
New User
 
Join Date: Nov 2009
Posts: 5
Default

Quote:
Originally Posted by jggimi View Post
Swap has been encrypted by default since 3.8.
Are you sure? Because i had to modify /etc/sysctl.conf to turn in on in 4.6.
Code:
#vm.swapencrypt.enable=0         # 0=Do not encrypt pages that go to swap
to
vm.swapencrypt.enable=1         # 0=Do not encrypt pages that go to swap
Reply With Quote
  #9   (View Single Post)  
Old 23rd November 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by deviant085 View Post
Are you sure? Because i had to modify /etc/sysctl.conf to turn in on in 4.6.
Code:
#vm.swapencrypt.enable=0         # 0=Do not encrypt pages that go to swap
to
vm.swapencrypt.enable=1         # 0=Do not encrypt pages that go to swap
Man you have to do some reading before asking. Default behavior of OpenBSD box is opposite of what is commented in systct.conf. Those lines are
left like that so that if you want to turn off swap encryption you can just remove # and reboot the computer.
Reply With Quote
Old 23rd November 2009
deviant085 deviant085 is offline
New User
 
Join Date: Nov 2009
Posts: 5
Default

Oh ok, didn't know that... Thanks for that..
Reply With Quote
Reply

Tags
disk encryption, encryption, file system encryption

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
softraid encryption Sunnz OpenBSD Security 6 24th September 2009 04:58 AM
Reboot loop on 7.0 upgraded to 7.1 EricM FreeBSD Installation and Upgrading 3 25th March 2009 04:25 AM
Installing FreeBSD and encryption? neurosis FreeBSD Security 1 1st November 2008 05:51 PM
ibm eserver x225 - 7.0 installation when btx halted / endless loop underlig FreeBSD Installation and Upgrading 3 3rd August 2008 02:19 PM
encryption during rsync gkontos General software and network 7 13th June 2008 10:08 AM


All times are GMT. The time now is 12:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick