Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Mon, 18 Aug 2014, Jason Tubnor wrote: On 2 June 2014 10:23, Ted Unangst t...@tedunangst.com wrote: Part of the deprecation / migration process is identifying the weird ways people use vnd and finding solutions for them. But as we've seen, people never move forward without the occasional push. So the most appropriate way to use vnd(4) as an encrypted container going forward would be to lay down softraid(4) CRYPTO inside it to achieve a like-for-like outcome or would this be over-complicating things? I have had success in testing this use case but I am aware it may not be supported. To revive this old thread again (I missed the recent post): I tesed the same or similar (softraid(4) crypto volume on top of unencrypted vnd(4) device in my case) in July this year and I saw some kind of write amplification effect by a factor of two. The resulting effective writing speed was quite low. The sector size of the underlying hard drive was 4K bytes. Regards, David
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On 2 June 2014 10:23, Ted Unangst t...@tedunangst.com wrote: Part of the deprecation / migration process is identifying the weird ways people use vnd and finding solutions for them. But as we've seen, people never move forward without the occasional push. So the most appropriate way to use vnd(4) as an encrypted container going forward would be to lay down softraid(4) CRYPTO inside it to achieve a like-for-like outcome or would this be over-complicating things? I have had success in testing this use case but I am aware it may not be supported.
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Fri, 30 May 2014, Theo de Raadt wrote: Robert [info...@die-optimisten.net] wrote: On Fri, 30 May 2014 12:19:35 -0400 Ted Unangst t...@tedunangst.com wrote: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. Will 5.6 softraid support block sizes other than 512 byte? marc.info/?l=openbsd-miscm=139524543706370 There are no plans for it right now. They way I read the original message (and please correct me if this is wrong!), is that something will happen in 5.7 that will disable encrypted vnd. Which means that people with recent internal/external HDs, that use 4k blocks, will have a problem. (Some disks allow you to use jumper settings for 512b, but not all external ones) Wow, don't know where you got that from. Sometimes it is just a simple explanation. Could you please provide a little bit more information? What causes encrypted vnd to be insecure and what will happen to vnd(4) before 5.7 if it isn't removal of crypto? Also, are there any options remaining to encrypt non-512-byte/sector devices, data on NFS filesystems (NAS boxes) and removable/backup media other than hard drives (or that pretend to be hard drives)? Thank you. Regards, David
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
Could you please provide a little bit more information? What causes encrypted vnd to be insecure Ted went a bit far; it is unusual for him to be melodratic. Basically -- less than state of the art crypto. and what will happen to vnd(4) before 5.7 if it isn't removal of crypto? You persist in reading too much into things.
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Sun, Jun 01, 2014 at 11:37, Theo de Raadt wrote: Could you please provide a little bit more information? What causes encrypted vnd to be insecure Ted went a bit far; it is unusual for him to be melodratic. Basically -- less than state of the art crypto. You would never use blowfish-cbc (with a 64-bit blocksize) for disk encryption today. You can probably find a wiki page somewhere with details, but the reality is most people aren't capable of assessing whether this is secure enough. Part of the deprecation / migration process is identifying the weird ways people use vnd and finding solutions for them. But as we've seen, people never move forward without the occasional push.
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Fri, May 30, 2014 at 19:45, Jonathan Thornburg wrote: What will be the right way to achieve such a nested-encryption setup once encrypted vnd goes away? Is/will it be safe (i.e., free from data corruption, deadlock, or other kernel badness) to nest softraid crypto volumes? Short answer: it should be. Long answer: if it's not, it would be better to know about problems now rather than later, no?
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Fri, 30 May 2014 12:19:35 -0400 Ted Unangst t...@tedunangst.com wrote: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. Will 5.6 softraid support block sizes other than 512 byte? marc.info/?l=openbsd-miscm=139524543706370 kind regards, Robert
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
Robert [info...@die-optimisten.net] wrote: On Fri, 30 May 2014 12:19:35 -0400 Ted Unangst t...@tedunangst.com wrote: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. Will 5.6 softraid support block sizes other than 512 byte? marc.info/?l=openbsd-miscm=139524543706370 There are no plans for it right now.
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
On Fri, 30 May 2014 11:14:40 -0700 Chris Cappuccio ch...@nmedia.net wrote: Robert [info...@die-optimisten.net] wrote: On Fri, 30 May 2014 12:19:35 -0400 Ted Unangst t...@tedunangst.com wrote: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. Will 5.6 softraid support block sizes other than 512 byte? marc.info/?l=openbsd-miscm=139524543706370 There are no plans for it right now. They way I read the original message (and please correct me if this is wrong!), is that something will happen in 5.7 that will disable encrypted vnd. Which means that people with recent internal/external HDs, that use 4k blocks, will have a problem. (Some disks allow you to use jumper settings for 512b, but not all external ones)
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
Robert [info...@die-optimisten.net] wrote: On Fri, 30 May 2014 12:19:35 -0400 Ted Unangst t...@tedunangst.com wrote: WARNING: Encrypted vnd is insecure. Migrate your data to softraid before 5.7. Will 5.6 softraid support block sizes other than 512 byte? marc.info/?l=openbsd-miscm=139524543706370 There are no plans for it right now. They way I read the original message (and please correct me if this is wrong!), is that something will happen in 5.7 that will disable encrypted vnd. Which means that people with recent internal/external HDs, that use 4k blocks, will have a problem. (Some disks allow you to use jumper settings for 512b, but not all external ones) Wow, don't know where you got that from. Sometimes it is just a simple explanation.
Re: encrypted vnd Fwd: CVS: cvs.openbsd.org: src
In message http://marc.info/?l=openbsd-miscm=140146687910205w=1,
Ted Unangst wrote:
If you are using encrypted vnd (vnconfig -k or -K) you will want to
begin planning your migration strategy.
[[...]]
WARNING: Encrypted vnd is insecure.
Migrate your data to softraid before 5.7.
Once this transition happens, what will be the right way to achieve
nested crypto volumes?
That is, with present-day OpenBSD I can have the following:
/home is a softraid-crypto filesystem
managed with 'bioctl -c C' via passphrase #1
/home/me/very-secret is a vnd-crypto filesystem
backed by the files /home/me/very-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #2
/home/me/other-secret is a vnd-crypto filesystem
backed by the files /home/me/other-secret-storage.{salt,data}
managed with 'vnconfig -c -K' via passphrase #3
What will be the right way to achieve such a nested-encryption setup
once encrypted vnd goes away? Is/will it be safe (i.e., free from
data corruption, deadlock, or other kernel badness) to nest softraid
crypto volumes?
ciao,
--
-- Jonathan Thornburg [remove -animal to reply]
jth...@astro.indiana-zebra.edu
Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA
There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time. -- George Orwell, 1984
