Re: [Bulk] Re: vnconfig crypto alternative
On Sun, 1 Mar 2015 13:52:37 -0500 Jonathan Thornburg wrote: That deprecation is not going to happen. Keep using what you are using now. I grok that (the current implementation of) vnd crypto is weak. What's the current migration/fixing/transition plan for this? (I can't find any mention of vnd or vnconfig in http://www.openbsd.org/plus.html .) Where do you grok that from? I believe the words were not state of the art, which is fair and encouraging to use softraid is correct. vnd crypto uses CBC which has some papers pondering the possibility of breakage but in no way are they useful to a legitimate attacker. It doesn't change the keys like softraid which also uses the more modern xts and is far more suitable to larger volumes. Blowfish certainly isn't weak I believe theo said something along the lines of there is still a place for a simpler crypto implementation. I think that says it all and the warning will certainly send those in doubt to bioctl (softraid)
Re: vnconfig crypto alternative
In message http://marc.info/?l=openbsd-miscm=140146687910205w=1 (dated 2014-05-30), tedu@ wrote: If you are using encrypted vnd (vnconfig -k or -K) you will want to begin planning your migration strategy. -- Forwarded message -- From: Ted Unangst t...@cvs.openbsd.org Date: Fri 2014/05/30 10:14 -06:00 Subject: CVS: cvs.openbsd.org: src To: source-chan...@cvs.openbsd.org CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2014/05/30 10:14:19 Modified files: sbin/mount_vnd : mount_vnd.c Log message: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. In message http://marc.info/?l=openbsd-miscm=141687050525646w=1 (dated 2014-11-24), deraadt@ wrote: That deprecation is not going to happen. Keep using what you are using now. I grok that (the current implementation of) vnd crypto is weak. What's the current migration/fixing/transition plan for this? (I can't find any mention of vnd or vnconfig in http://www.openbsd.org/plus.html .) ciao, -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. -- George Orwell, 1984
Re: vnconfig crypto alternative
On Tue, 25 Nov 2014, Jason Tubnor wrote: With crypto being deprecated (and possibly removed in future versions - depending on dev direction) from vnconfig, would the following be assumed one way of providing an encrypted container? To create 200MB encrypted container: sudo dd if=/dev/zero of=/var/encrypt/container.encrypt bs=1m count=200 sudo chmod 600 /var/encrypt/container.encrypt sudo vnconfig vnd0 /var/encrypt/container.encrypt printf a\n\n\n\nRAID\nw\nq\n\n | sudo disklabel -E vnd0 sudo bioctl -c C -l vnd0a softraid0 ## Enter your secret passphrase here sudo dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 printf a\n\n\n\n4.2BSD\nw\nq\n\n | sudo disklabel -E sd1 sudo newfs /dev/rsd1a sudo mount /dev/sd1a /encrypt ## When I tried this a couple of months ago I saw double figure of written bytes to the host device (where /var/encrypt resides in your case) than what I was actually writing to the softraid volume (/dev/sd1c in your case). It did not look neither efficient, nor healthy. Try dd if=/dev/zero of=/dev/rsd1c bs=1m while watching systat/iostat at the same time. Is it still the case? Regards, David
Re: vnconfig crypto alternative
On 25 November 2014 at 18:58, David Vasek va...@fido.cz wrote: did not look neither efficient, nor healthy. Try dd if=/dev/zero of=/dev/rsd1c bs=1m while watching systat/iostat at the same time. Is it still the case? So here are the findings. The test is virtualised but below is the baseline into a vnd container (no crypt etc) GENERIC 5.6-current amd64: # dd if=/dev/zero of=/dev/rvnd0a bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 41.652 secs (25174524 bytes/sec) The results for vnd container using crypt (noticed ~20% cpu utilisation): # dd if=/dev/zero of=/dev/rvnd0a bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 59.270 secs (17691307 bytes/sec) Crypto softraid inside a vnd container (noticed ~8% cpu utilisation): # dd if=/dev/zero of=/dev/rsd2a bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 87.422 secs (11994340 bytes/sec) I'll continue using vnd crypt container based on advice from theo@ . Performance is not a real issue for this small amount of data that is not accessed often in my use case so I wasn't too concerned either way, just wanted to make sure I was on a valid supported path.
vnconfig crypto alternative
With crypto being deprecated (and possibly removed in future versions - depending on dev direction) from vnconfig, would the following be assumed one way of providing an encrypted container? To create 200MB encrypted container: sudo dd if=/dev/zero of=/var/encrypt/container.encrypt bs=1m count=200 sudo chmod 600 /var/encrypt/container.encrypt sudo vnconfig vnd0 /var/encrypt/container.encrypt printf a\n\n\n\nRAID\nw\nq\n\n | sudo disklabel -E vnd0 sudo bioctl -c C -l vnd0a softraid0 ## Enter your secret passphrase here sudo dd if=/dev/zero of=/dev/rsd1c bs=1m count=1 printf a\n\n\n\n4.2BSD\nw\nq\n\n | sudo disklabel -E sd1 sudo newfs /dev/rsd1a sudo mount /dev/sd1a /encrypt ## sudo umount /encrypt sudo bioctl -d sd1 sudo vnconfig -u vnd0 Then to re-use: sudo vnconfig vnd0 /var/encrypt/container.encrypt sudo bioctl -c C -l vnd0a softraid0 ## Enter your secret passphrase here sudo mount /dev/sd1a /encrypt ## sudo umount /encrypt sudo bioctl -d sd1 sudo vnconfig -u vnd0
Re: vnconfig crypto alternative
With crypto being deprecated (and possibly removed in future versions - depending on dev direction) from vnconfig, would the following be assumed one way of providing an encrypted container? That deprecation is not going to happen. Keep using what you are using now.
