openbsd encrypted fs

zem zem at zip.com.au
Wed Oct 24 18:30:22 PDT 2001 

On 24 Oct 2001, Dr. Evil wrote:

> No, it has nothing to do with speed.  Machines are plenty fast.  This
> is just a kludgy way to do this, and the last time I tried it, I got
> kernel panics within a day or so of uptime.  Not acceptable,
> obviously.

2.7 had problems.  It's worked reliably for me since 2.8.  YMMV.

> > >Is booting from an encrypted fs ever useful?  Use read-only media if
> > >tampering is a concern.  Configure and mount other encrypted filesystems
> > >from /etc/rc.  If you can install and maintain OpenBSD, you can manage
>
> Surely you can appreciate that a software-only solution to
> tamper-resistance might have some usefulness?  Surely you can
> understand that, given a choice between booting from a CD and booting
> from hard disk, it might be an enormous pain to boot from CD all the
> time, and CDs are far less tamper-resistant than encrypted disk?
> Surely you can understand that there might be some config files in
> /etc that contain valuable information in some circumstances?

Sure.  Union mount the sensitive stuff over /etc as necessary.  CDs are
tamper resistant because they can be removed and carried.  Encryption is
not very useful as a tamper protection measure - it won't protect against
a DoS, or replacement of a partition with a trojan.

Encrypting system binaries is rarely useful.  It creates bootstrapping
problems and doesn't provide much benefit.  Encrypting /usr/local is
useful.

> Or
> perhaps a user wants to make sure that it cannot be proved that a
> certain application or kernel mod is installed?  With the right kind
> of boot loader and encrypted FS, you could conceal which OS is even
> being run.

Let's take a step back - this thread started because you suggested
win2k's encrypted filesystem was more useable than openbsd's.  Now your
argument against openbsd is that it's not invisible.

Out of interest, can Windows boot from an encrypted disk?

Yes, there are many different threat models ranging from casual to
paranoia.  Neither win2k nor openbsd will satisfy the truly paranoid.  But
openbsd does have a useful encrypted filesystem.

You're welcome to whine about the loopback not being the right colour or
whatever.  Hell, I'd skip the loopback layer if I could.  In the meantime
I'll use what's available.  My /home partition is encrypted - is yours?

> I can't believe that some people on this list think that storing data
> in an encrypted format is pointless.

Encrypting data is useful.  Encrypting system binaries is of little value.


-- 
mailto:zem at zip.com.au F289 2BDB 1DA0 F4C4 DC87 EC36 B2E3 4E75 C853 FD93
http://zem.squidly.org/ "I'm invisible, I'm invisible, I'm invisible.."

More information about the cypherpunks-legacy mailing list