Reply
 
Thread Tools Display Modes
  #1  
Old 12-26-2012, 03:02 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Question Full Disk Encryption?
Is there a way to make a FULL disk encryption?
Or just some partitions other that the boot one?

The default disk encryption of pcbsd... What are its characteristics?
256? Aes? Triple Des? Blowfish? Serpent?
Can we mix some of them?
Reply With Quote
  #2  
Old 12-26-2012, 06:15 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default Full Disk Encryption?
You can do all sorts of advanced stuff post-install if you just want to
create another encrypted partition. Take a look at the manpage for
"geli" it has all sorts of useful information on how we can do
encryption on BSD.
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
The Following User Says Thank You to kmoore134 For This Useful Post:
maioral (12-26-2012)
  #3  
Old 12-26-2012, 08:26 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
Thanks, i discovered is AES-XTS 128 bits. If i discover how to improve i post here after for you guys.


Edited:


http://www.unix.com/man-page/all/8/geli/
Quote:
setkey Change or setup (if not yet initialized) selected key. There
is one master key, which can be encrypted with two independent
user keys. With the init subcommand, only key number 0 is
initialized. The key can always be changed: for an attached
provider, for a detached provider or on the backup file. When
a provider is attached, the user does not have to provide an
old passphrase/keyfile.

Quote:
-l keylen
Key length to use with the given cryptographic algo-
rithm. If not given, the default key length for the
given algorithm is used, which is: 128 for AES, 128
for Blowfish, 128 for Camellia and 192 for 3DES.

Any master here knows what i write in terminal to upgrade the encryption to the highest level?

We must use it before it gets initialized? i have no clue not even from where i start... I must boot with a special option? Then what i write in terminal?

I am afraid that if i try alone i might screw all...

Can it use 2 or 3 algorythms at the same time too? or just one?

Quote:
init Initialize provider which needs to be encrypted. Here you can
set up the cryptographic algorithm to use, key length, etc.
The last provider's sector is used to store metadata. The
init subcommand also automatically backups metadata in
/var/backups/<prov>.eli file. The metadata can be recovered
with the restore subcommand described below.

Additional options include:

-a aalgo Enable data integrity verification (authentication)
using the given algorithm. This will reduce size of
available storage and also reduce speed. For exam-
ple, when using 4096 bytes sector and HMAC/SHA256
algorithm, 89% of the original provider storage will
be available for use. Currently supported algo-
rithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160,
HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the
option is not given, there will be no authentica-
tion, only encryption. The recommended algorithm is
HMAC/SHA256.

-b Ask for the passphrase on boot, before the root par-
tition is mounted. This makes it possible to use an
encrypted root partition. One will still need
bootable unencrypted storage with a /boot/ direc-
tory, which can be a CD-ROM disc or USB pen-drive,
that can be removed after boot.
And what about this? Is data Integrity verification already on? how do i check?
And how to make that encrypted root partition after installed pc-bsd?
Can it be made like a first 50mb partition just to do that? Or is better the default way it it, root unecrypted?

Quote:
-i iterations
Number of iterations to use with PKCS#5v2. If this
option is not specified, geli will find the number
of iterations which is equal to 2 seconds of crypto
work. If 0 is given, PKCS#5v2 will not be used.
"Iteration in computing is the repetition of a process within a computer program. It can be used both as a general term, synonymous with repetition, and to describe a specific form of repetition with a mutable state."
I tryed to figure out what that iterations option means but no sucess...

Edited 2:

Woudnt it be good to choose encryption options ins install?

Last edited by maioral; 12-26-2012 at 10:08 PM.
Reply With Quote
  #4  
Old 12-29-2012, 08:26 AM
Abdul Abdul is offline
Senior Member
 
Join Date: Jan 2011
Posts: 333
Thanks: 19
Thanked 15 Times in 14 Posts
Default
Originally Posted by maioral View Post
"Iteration in computing is the repetition of a process within a computer program. It can be used both as a general term, synonymous with repetition, and to describe a specific form of repetition with a mutable state."
I tryed to figure out what that iterations option means but no sucess..
https://en.wikipedia.org/wiki/PBKDF2
Long story short, it hashes the password multiple times to make the process slower and therefore reduce the efficiency of bruteforce cracking. The parameter lets you specify a custom performance/security tradeoff.
__________________
touch -- '-rf ~'
Reply With Quote
  #5  
Old 01-11-2013, 03:29 AM
jag3773 jag3773 is offline
Member
 
Join Date: Sep 2007
Location: CO
Posts: 37
Thanks: 2
Thanked 1 Time in 1 Post
Default
Took me a bit to find the right file, but /usr/share/pc-sysinstall/backend/functions-newfs.sh on the iso or img file has the commands used to create the geli device (line 155 or 160).

Basically, the defaults are used, which means the AES-XTS algorithm, and no data authentication.
__________________
Thanks,
Jesse

http://www.ekfocus.com
Reply With Quote
The Following User Says Thank You to jag3773 For This Useful Post:
maioral (01-13-2013)
  #6  
Old 01-13-2013, 08:08 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
Originally Posted by jag3773 View Post
Took me a bit to find the right file, but /usr/share/pc-sysinstall/backend/functions-newfs.sh on the iso or img file has the commands used to create the geli device (line 155 or 160).

Basically, the defaults are used, which means the AES-XTS algorithm, and no data authentication.
And is there a way to increase the encryption?
Can it be done after installed?

If so, what are the commands or editions i must make?
Reply With Quote
  #7  
Old 01-21-2013, 08:01 PM
Abdul Abdul is offline
Senior Member
 
Join Date: Jan 2011
Posts: 333
Thanks: 19
Thanked 15 Times in 14 Posts
Default
Originally Posted by maioral View Post
And is there a way to increase the encryption?
Can it be done after installed?

If so, what are the commands or editions i must make?
What do you mean by 'increase'? Make stronger? If yes, I wonder what exactly do you want...provable security?
__________________
touch -- '-rf ~'
Reply With Quote
  #8  
Old 01-24-2013, 08:14 PM
maioral maioral is offline
Senior Member
 
Join Date: Nov 2012
Posts: 105
Thanks: 28
Thanked 4 Times in 4 Posts
Default
yes. make stronger. instead of 128 bits aes i would like a 256 or 512. And aes + serpent etc of possible...
Reply With Quote
  #9  
Old 01-28-2013, 07:12 AM
david_a david_a is offline
Senior Member
 
Join Date: Jan 2012
Posts: 244
Thanks: 6
Thanked 59 Times in 47 Posts
Default
Originally Posted by maioral View Post
yes. make stronger. instead of 128 bits aes i would like a 256 or 512. And aes + serpent etc of possible...
I guess the real question is not "what do you want" - the real question is "Why do you want that - what good will it be for you?"
Reply With Quote
  #10  
Old 02-17-2013, 07:37 AM
Abdul Abdul is offline
Senior Member
 
Join Date: Jan 2011
Posts: 333
Thanks: 19
Thanked 15 Times in 14 Posts
Default
There's no AES512 and last time I checked AES128 was stronger than 256 - because flaws people found in the latter reduced its effective strength so much.
__________________
touch -- '-rf ~'
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:36 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.