I tested OpenBSD 5.6 in VirtualBox on a RHEL 6.5 Workstation, T410:
A few installs, with full disc encryption, only the rounds differ
the guests had: 2 GB RAM, fixed 10 GB HDD, same 10 char pwd, i5 CPU M 560:
(I placed dots only for better reading, not in the real command)
A = bioctl -r 1.000 -c C -l /dev/sd0a softraid0
B = bioctl -r 100.000 -c C -l /dev/sd0a softraid0
C = bioctl -r 1.000.000 -c C -l /dev/sd0a softraid0
D = bioctl -r 10.000.000 -c C -l /dev/sd0a softraid0
E = without encryption
I did a:
dd if=/dev/zero of=test.foo
on them:
A = ~107 sec
B = ~105 sec
C = ~109 sec
D = ~106 sec
E = ~110 sec
-> ~22 MB/s
>From the man pages:
-r rounds
When creating an encrypted volume, specifies the number of iterations of
the PBKDF2 algorithm used to convert a passphrase into a key. Higher
iteration
counts take more time, but offer more resistance to key guessing
attacks. The
minimum is 1000 rounds and the default is 8192.
---------------------------
Questions for the community/devs:
- Are there any statistics for comparing the rounds vs. the time for one
password to "crack"? What is the best* round number?
*- Does the rounds affect the disk performance, ex.: 1000 vs. 10 000 000**? OR
it just ONLY affects the time until the password unlocks the CRYPT device?
**When I used 10 000 000 rounds, after giving the pwd at boot, it took ~30
seconds to start the real boot
It looks like using dd didn't do any difference between encrypted vs.
not-encrypted disks.. so was my tests bad?
Thank you,
