On 2016-10-14 09:21:24, Peter Janos <peterjan...@mail.com> wrote: > Hello, > > [snip] > > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 20000000 softraid0 > # use a random high iteration number x > 10 000 000 >
I just want to point out (for the archives as well as others) that the softraid crypto discipline has recently been switched from PBKDF2 to bcrypt. http://marc.info/?l=openbsd-cvs&m=147430724911779&w=2 http://www.openbsd.org/faq/current.html#r20160919 Since bcrypt calculates its rounds based on the exponentiation of the number (i.e. the default of 16 rounds actually performs 2^16 rounds or 65536 rounds), the default number of "rounds" was reduced from 8192 to only 16. If you were to use 20 million "rounds" with the new bcrypt algorithm, I wouldn't be surprised if it took weeks, months, or even YEARS to actually mount your disk after inputting your password. For reference, I tried to simply calculate 2^20 millionth power using dc for my own amusement and gave up after it crunched numbers for over a minute with no answer returned. A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432) would probably be closer to what you actually want. > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > Indeed it would. Quite significantly in fact. -- Bryan