Re: Encrypting my keydisk
On Fri, Oct 25, 2019 at 12:20 PM Normen Wohner wrote: > > > > > Am 24.10.2019 um 03:27 schrieb Aaron Mason : > > > > On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner wrote: > >> > >> To enable two factor encryption? > >> One passcode is in his head the other on a key. > >> If either is missing the data on drive is unreadable. > >> I don’t know what is hard to understand about it. > >> In an ideal world you’d use the manual passcode > >> to decrypt the keydisk and then the keydisk > >> to decrypt the fs. > >> You should also not be able to tell > >> whether the keydisk was in fact encrypted, > >> the bootloader should try and on failure ask > >> for a passcode, not expect there to be some > >> 'RSA-2048' written at the end. > >> It’s hard for me to understand why nobody asked for this sooner. > >> > > > > You could just use a passphrase on the original disk to the same > > effect. No sense over-complicating things. > > No, you could not, that way whoever has the keydisk has access to the files > on disk, otherwise you still need a password. Not sure what is unclear about > this. Maybe you think this is about login? It is actually about obfuscating > the login process and enabling 2FA. > Maybe you think live files are still encrypted when the OS runs but no user > is logged in. That is sadly not the case. Or maybe I think the password is asked for on boot. No access to files until that passphrase is entered, regardless of whether someone is logged in or not. If you wanted the files hidden prior to login, write two scripts - one to mount the encrypted volume, the other to unmount - allow them to be run without password in doas.conf(5), then run them from ~/.profile, using trap (see https://www.cyberciti.biz/faq/linux-unix-run-commands-when-you-log-out/ for more details) to run the unmount script on logoff. > > > Regarding your second question, whatever part or level of the "bootloader" > normally checks for keydisk already has access to the full range of supported > en- and decryption mechanisms as it uses the key to do just that to the disk. > This would simply add a second decrypt trial. > > That doesn't answer the question of how it's going to access an encrypted key without the key to decrypt it. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Encrypting my keydisk
> Am 24.10.2019 um 03:27 schrieb Aaron Mason : > > On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner wrote: >> >> To enable two factor encryption? >> One passcode is in his head the other on a key. >> If either is missing the data on drive is unreadable. >> I don’t know what is hard to understand about it. >> In an ideal world you’d use the manual passcode >> to decrypt the keydisk and then the keydisk >> to decrypt the fs. >> You should also not be able to tell >> whether the keydisk was in fact encrypted, >> the bootloader should try and on failure ask >> for a passcode, not expect there to be some >> 'RSA-2048' written at the end. >> It’s hard for me to understand why nobody asked for this sooner. >> > > You could just use a passphrase on the original disk to the same > effect. No sense over-complicating things. No, you could not, that way whoever has the keydisk has access to the files on disk, otherwise you still need a password. Not sure what is unclear about this. Maybe you think this is about login? It is actually about obfuscating the login process and enabling 2FA. Maybe you think live files are still encrypted when the OS runs but no user is logged in. That is sadly not the case. Regarding your second question, whatever part or level of the "bootloader" normally checks for keydisk already has access to the full range of supported en- and decryption mechanisms as it uses the key to do just that to the disk. This would simply add a second decrypt trial.
Re: Encrypting my keydisk
So answering your forwarded Mail Thread. What's the reason ? Because your diskencryption stands and falls with the complexity of your passphrase. And if you were able to use a keydisk to encrypt your harddrive it would be WAY harder to bruteforce your keydisk rather than your passphrase. This advantaged is kind of "compromised" by the fact that the keydisk could be easily stolen or copied. -> keydisk encryption to mitigate that. Overcomplicated? Not so much. I'm at it so far implementing the diff. I'll see how that goes. On 2019-10-24 03:31, Aaron Mason wrote: > On Thu, Oct 24, 2019 at 10:44 AM List wrote: >> One would obviously NOT store the key on harddisk. That wouldn't make >> any sense and is not necessary. >> >> This could be similarly achieved as the normal FDE with passphrase. But >> instead of the actual harddisk as target, the target of the "yet to >> implement" encryption of the keydisk would be the key on the keydisk >> itself. >> > So how would the system access the key if it's encrypted? > >> g >> >> On 2019-10-22 23:40, Aaron Mason wrote: >>> On Wed, Oct 23, 2019 at 5:11 AM List wrote: I'm sorry I might have not been so clear about it. I meant a way to encrypt the actual keydisk with a passphrase. On 2019-10-18 13:34, Jan Stary wrote: >>> On Wednesday, October 16, 2019 11:06 PM, List >>> wrote: I was wondering if there is a reason for the lack of keydisk encryption. > $ man bioctl > # bioctl -h -v -c C ... > >>> To what end? At some point you're going to have to store the >>> passphrase somewhere it can be easily read, and all you've really >>> achieved is a way to, at best, slow down a potential attacker. >>> > signature.asc Description: OpenPGP digital signature
Re: Encrypting my keydisk
On Thu, Oct 24, 2019 at 10:44 AM List wrote: > > One would obviously NOT store the key on harddisk. That wouldn't make > any sense and is not necessary. > > This could be similarly achieved as the normal FDE with passphrase. But > instead of the actual harddisk as target, the target of the "yet to > implement" encryption of the keydisk would be the key on the keydisk > itself. > So how would the system access the key if it's encrypted? > g > > On 2019-10-22 23:40, Aaron Mason wrote: > > On Wed, Oct 23, 2019 at 5:11 AM List wrote: > >> I'm sorry I might have not been so clear about it. I meant a way to > >> encrypt the actual keydisk with a passphrase. > >> > >> On 2019-10-18 13:34, Jan Stary wrote: > > On Wednesday, October 16, 2019 11:06 PM, List > > wrote: > >> I was wondering if there is a reason for the lack of keydisk > >> encryption. > >>> $ man bioctl > >>> # bioctl -h -v -c C ... > >>> > > To what end? At some point you're going to have to store the > > passphrase somewhere it can be easily read, and all you've really > > achieved is a way to, at best, slow down a potential attacker. > > > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Encrypting my keydisk
One would obviously NOT store the key on harddisk. That wouldn't make any sense and is not necessary. This could be similarly achieved as the normal FDE with passphrase. But instead of the actual harddisk as target, the target of the "yet to implement" encryption of the keydisk would be the key on the keydisk itself. g On 2019-10-22 23:40, Aaron Mason wrote: > On Wed, Oct 23, 2019 at 5:11 AM List wrote: >> I'm sorry I might have not been so clear about it. I meant a way to >> encrypt the actual keydisk with a passphrase. >> >> On 2019-10-18 13:34, Jan Stary wrote: > On Wednesday, October 16, 2019 11:06 PM, List > wrote: >> I was wondering if there is a reason for the lack of keydisk encryption. >>> $ man bioctl >>> # bioctl -h -v -c C ... >>> > To what end? At some point you're going to have to store the > passphrase somewhere it can be easily read, and all you've really > achieved is a way to, at best, slow down a potential attacker. > signature.asc Description: OpenPGP digital signature
Re: Encrypting my keydisk
On Wed, Oct 23, 2019 at 5:11 AM List wrote: > > I'm sorry I might have not been so clear about it. I meant a way to > encrypt the actual keydisk with a passphrase. > > On 2019-10-18 13:34, Jan Stary wrote: > >>> On Wednesday, October 16, 2019 11:06 PM, List > >>> wrote: > I was wondering if there is a reason for the lack of keydisk encryption. > > $ man bioctl > > # bioctl -h -v -c C ... > > > To what end? At some point you're going to have to store the passphrase somewhere it can be easily read, and all you've really achieved is a way to, at best, slow down a potential attacker. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Encrypting my keydisk
I'm sorry I might have not been so clear about it. I meant a way to encrypt the actual keydisk with a passphrase. On 2019-10-18 13:34, Jan Stary wrote: >>> On Wednesday, October 16, 2019 11:06 PM, List wrote: I was wondering if there is a reason for the lack of keydisk encryption. > $ man bioctl > # bioctl -h -v -c C ... >
Re: Encrypting my keydisk
> > On Wednesday, October 16, 2019 11:06 PM, List wrote: > >> I was wondering if there is a reason for the lack of keydisk encryption. $ man bioctl # bioctl -h -v -c C ...
Re: Encrypting my keydisk
Hi, I've found the diff / suggestion you're talking about. But it seems to be rather hacky. For what reason I guess it never made it into the tree. I'll ask tech@ what they'd think about a patch. g, Stephan On 2019-10-17 11:02, flauenroth wrote: > There was an effort, if memory serves but never got committed afaik. Not sure > what happened any why but you should be able to dig the mailiing list > conversation up and from there compile the uncommitted patch for your needs. > At least that would be my approach, except it's now part of OpenBSD. > > > Have a nice day, > > Fabian > > > > ___ > Always exit with 42 to return the answer. > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, October 16, 2019 11:06 PM, List wrote: > >> Hi, >> >> I was wondering if there is a reason for the lack of keydisk encryption. >> >> And if there is a reason what that would be. Or maybe I'm just missing >> something and there is a way to achieve this. >> >> Please correct me. Thanks for your time. >> >> g Stephan signature.asc Description: OpenPGP digital signature
Re: Encrypting my keydisk
There was an effort, if memory serves but never got committed afaik. Not sure what happened any why but you should be able to dig the mailiing list conversation up and from there compile the uncommitted patch for your needs. At least that would be my approach, except it's now part of OpenBSD. Have a nice day, Fabian ___ Always exit with 42 to return the answer. ‐‐‐ Original Message ‐‐‐ On Wednesday, October 16, 2019 11:06 PM, List wrote: > Hi, > > I was wondering if there is a reason for the lack of keydisk encryption. > > And if there is a reason what that would be. Or maybe I'm just missing > something and there is a way to achieve this. > > Please correct me. Thanks for your time. > > g Stephan signature.asc Description: OpenPGP digital signature
