On 2016-10-14 09:21:24, Peter Janos <peterjan...@mail.com> wrote:
> Hello,
> [snip]
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during install
> and ex.:
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> w
> q
> bioctl -c C -l /dev/sd0a -r 20000000 softraid0
> # use a random high iteration number x > 10 000 000

I just want to point out (for the archives as well as others) that
the softraid crypto discipline has recently been switched from
PBKDF2 to bcrypt.


Since bcrypt calculates its rounds based on the exponentiation of
the number (i.e. the default of 16 rounds actually performs 2^16
rounds or 65536 rounds), the default number of "rounds" was
reduced from 8192 to only 16.  If you were to use 20 million
"rounds" with the new bcrypt algorithm, I wouldn't be surprised if
it took weeks, months, or even YEARS to actually mount your disk
after inputting your password.

For reference, I tried to simply calculate 2^20 millionth power
using dc for my own amusement and gave up after it crunched numbers
for over a minute with no answer returned.

A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432)
would probably be closer to what you actually want.

> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X is
> ex.: 2...
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.

Indeed it would.  Quite significantly in fact.


Reply via email to