From owner-freebsd-fs@FreeBSD.ORG Sun Jul 10 00:04:31 2005 Return-Path: X-Original-To: fs@freebsd.org Delivered-To: freebsd-fs@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34DE716A41C for ; Sun, 10 Jul 2005 00:04:31 +0000 (GMT) (envelope-from rick@snowhite.cis.uoguelph.ca) Received: from dargo.cs.uoguelph.ca (dargo.cs.uoguelph.ca [131.104.96.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id C790043D45 for ; Sun, 10 Jul 2005 00:04:30 +0000 (GMT) (envelope-from rick@snowhite.cis.uoguelph.ca) Received: from snowhite.cis.uoguelph.ca (snowhite.cis.uoguelph.ca [131.104.48.1]) by dargo.cs.uoguelph.ca (8.13.1/8.13.1) with ESMTP id j6A04KLt005309; Sat, 9 Jul 2005 20:04:20 -0400 Received: (from rick@localhost) by snowhite.cis.uoguelph.ca (8.9.3/8.9.3) id UAA18282; Sat, 9 Jul 2005 20:05:08 -0400 (EDT) Date: Sat, 9 Jul 2005 20:05:08 -0400 (EDT) From: rick@snowhite.cis.uoguelph.ca Message-Id: <200507100005.UAA18282@snowhite.cis.uoguelph.ca> To: tech@openbsd.org X-Scanned-By: MIMEDefang 2.44 Cc: egronke@panasas.com, drhodus@machdep.com, deicher@sandia.gov, djm@mindrot.org, fs@freebsd.org, jimz@panasas.com Subject: Oops, where's the ftp site? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2005 00:04:31 -0000 > where can I find this? You didn't mention a URL. Mindrot is probably an accurate description of why I didn't include the URL:-) ftp://ftp.cis.uoguelph.ca/pub/nfsv4 (or anonymous ftp to ftp.cis.uoguelph.ca and "cd pub/nfsv4".) You can also go to http://snowhite.cis.uoguelph.ca/nfsv4, which probably qualifies as one of the most primitive web pages on the planet. Sorry about that, rick From owner-freebsd-fs@FreeBSD.ORG Mon Jul 11 05:08:33 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7450F16A41C for ; Mon, 11 Jul 2005 05:08:33 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 428A943D46 for ; Mon, 11 Jul 2005 05:08:33 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-27-86-22.san.res.rr.com [66.27.86.22]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id j6B58UKN019717 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Sun, 10 Jul 2005 22:08:32 -0700 Message-Id: <6.1.0.6.2.20050710210126.1ff55cc0@cobalt.antimatter.net> X-Sender: glenn@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Sun, 10 Jul 2005 22:02:47 -0700 To: freebsd-fs@freebsd.org From: Glenn Dawson Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: newfs, cylinder groups, and a few other things X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2005 05:08:33 -0000 Recently while looking into a particular problem, I found some things in the code for newfs(8) that don't make sense to me. Hopefully someone here can shed some light on things. The maxblkspercg variable which can be set using the -c option is actually treated as if it were the max frags per cylinder group. Slightly confusing when you specify max blocks and you end up with something a lot less. The second thing I noticed is that fs_old_cpg in struct fs, is always set to 1 when creating a ufs1 file system. The whole idea of cylinders and cylinder groups seems to have been rearranged so that what was previously a cylinder group, is now the same as a cylinder. So instead of having a cylinder group with 16 cylinders and 8 blocks per cylinder for a total of 128 blocks, you end up with 1 cylinder with 128 blocks. Probably not a big deal in most cases, but a ufs1 file system created with newfs in 4.x has very different geometry than one created in 5.x. It was that difference that brought my attention to this in the first place. Lastly, I also noticed that the value written to the disk label which used to be the number of cylinders per group, is now fragments per group (or cylinder since the groups never have more than 1 cylinder). The documentation for disklabel(8) doesn't mention this at all. -Glenn From owner-freebsd-fs@FreeBSD.ORG Mon Jul 11 15:12:44 2005 Return-Path: X-Original-To: fs@freebsd.org Delivered-To: freebsd-fs@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AA6816A41C for ; Mon, 11 Jul 2005 15:12:44 +0000 (GMT) (envelope-from rick@snowhite.cis.uoguelph.ca) Received: from mailhub.cs.uoguelph.ca (mailhub.cs.uoguelph.ca [131.104.96.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 337A243D45 for ; Mon, 11 Jul 2005 15:12:43 +0000 (GMT) (envelope-from rick@snowhite.cis.uoguelph.ca) Received: from snowhite.cis.uoguelph.ca (snowhite.cis.uoguelph.ca [131.104.48.1]) by mailhub.cs.uoguelph.ca (8.13.1/8.13.1) with ESMTP id j6BFCf6Y025971; Mon, 11 Jul 2005 11:12:41 -0400 Received: (from rick@localhost) by snowhite.cis.uoguelph.ca (8.9.3/8.9.3) id LAA29211; Mon, 11 Jul 2005 11:13:24 -0400 (EDT) Date: Mon, 11 Jul 2005 11:13:24 -0400 (EDT) From: rick@snowhite.cis.uoguelph.ca Message-Id: <200507111513.LAA29211@snowhite.cis.uoguelph.ca> To: tech@openbsd.org X-Scanned-By: MIMEDefang 2.44 Cc: egronke@panasas.com, deicher@sandia.gov, drhodus@machdep.com, fs@freebsd.org, jimz@panasas.com, phessler@theapt.org Subject: NFSv4 for BSD mailing list X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2005 15:12:44 -0000 Thanks to Peter Hessler, there is now a mailing list for NFSv4 on BSD. To subscribe, just go to: http://mailman.theapt.org/listinfo/openbsd-nfsv4 or email openbsd-nfsv4-subscribe@sfobug.org. Sorry for spamming the mailing lists, but I didn't know of another way to get the word out, rick From owner-freebsd-fs@FreeBSD.ORG Thu Jul 14 20:37:41 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 710B216A41C; Thu, 14 Jul 2005 20:37:41 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B93C43D45; Thu, 14 Jul 2005 20:37:39 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from parrot.ebi.ac.uk (parrot.ebi.ac.uk [193.62.196.69]) by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id j6EKbaQ05757; Thu, 14 Jul 2005 21:37:37 +0100 (BST) Received: from parrot.ebi.ac.uk (kreil@localhost) by parrot.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id j6EKbaf12941; Thu, 14 Jul 2005 21:37:36 +0100 Message-Id: <200507142037.j6EKbaf12941@parrot.ebi.ac.uk> X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 To: David Kreil In-Reply-To: Your message of "Sun, 05 Sep 2004 15:26:42 BST." <200409051426.i85EQgB18118@puffin.ebi.ac.uk> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Thu, 14 Jul 2005 21:37:36 +0100 From: David Kreil X-EBI-Information: This email is scanned using www.mailscanner.info. X-EBI: Found to be clean X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5, HABEAS_SWE -8.00) Cc: freebsd-fs@freebsd.org, Poul-Henning Kamp , freebsd-questions@freebsd.org Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" thoroughly? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 20:37:41 -0000 Dear Poul-Henning, After a job induced pause in my strong interest in encryption solutions, = I = have on my return tried to learn what has since changed with gbde. I must= be = missing the obvious because I cannot locate a "changelog" or "release not= es" = document. You have been most helpful in our discussion last year. I have now, in = particular, been wondering whether you have since at all had a chance of = revisiting the issue of blackening keys with multiple physical random = overwrite before resetting them to zero to avoid key recovery by methods = as = available from companies like www.dataclinic.co.uk. With many thanks and best regards, David. -------------------------------------------------------------------------= -- Dr David Philip Kreil = Research Fellow, Darwin College, | WWTF Vienna Science Chair of University of Cambridge | Bioinformatics, Dept of Biotechnology, ++44 1223 764107, fax 7092 810040 | c/o IAM / BOKU, A-1190 Muthgasse 18 www.inference.phy.cam.ac.uk/dpk20 | ++43 1 360066830 From owner-freebsd-fs@FreeBSD.ORG Thu Jul 14 20:37:45 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C1E616A430 for ; Thu, 14 Jul 2005 20:37:45 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 743ED43D45 for ; Thu, 14 Jul 2005 20:37:44 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from parrot.ebi.ac.uk (parrot.ebi.ac.uk [193.62.196.69]) by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id j6EKbgQ05773; Thu, 14 Jul 2005 21:37:42 +0100 (BST) Received: from parrot.ebi.ac.uk (kreil@localhost) by parrot.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id j6EKbft12951; Thu, 14 Jul 2005 21:37:42 +0100 Message-Id: <200507142037.j6EKbft12951@parrot.ebi.ac.uk> X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 To: Allan Fields In-Reply-To: Your message of "Sat, 28 Aug 2004 01:16:56 EDT." <20040828051655.GK33859@afields.ca> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 14 Jul 2005 21:37:41 +0100 From: David Kreil X-EBI-Information: This email is scanned using www.mailscanner.info. X-EBI: Found to be clean X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5, HABEAS_SWE -8.00) Cc: freebsd-fs@freebsd.org, David Kreil Subject: Re: preventing information leakage in gbde protected system X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 20:37:45 -0000 Dear Allan, After a job induced pause in my strong interest in encryption solutions, I'm now slowly returning to the case. You have kindly provided good advice when we were in touch last year and I was wondering whether you had any further information regarding setting up a system to be gbde protected early enough during system boot to avoid leakage of sensitive information in /var, /etc, and possible the root (/). With many thanks and best regards, David. > > > > > I wonder, in particular, what issues I have to expect in wanting to keep > > > > system relevant directories like /var on a gdbe partition. > > > > > > The gbde attach should occur early enough during multiuser startup to avoid > > > such problems, I don't recall if the provided rc script would be sufficient, > > > I'll test a configuration soon, or let me know if you have any luck. > > > > Have you yet had a chance to give it a try? > > > > I noticed that there have been additions to the rc.d script, like=20 > > "gbde_swap_enable". Would you know whether, if I used the rc.d approach,= > > > Yes, it provides a good way to quickly enable encrypted swap. > > > whether that will that be early enough that I can have /var encrypted? > > Else, how/where should I otherwise link in (as early as possible but after the > > non-US keyboard support has loaded)? > > Key roles /var will play during startup: > - logging: usually syslog or others want to write to /var/log > - entropy: the entropy database default resides in /var/db (which > is interesting, what effect does encrypting this have?) > - run files: some daemons will create pid and lock files, others > create sockets > - networking: some network daemons use /var/db > - mail: sendmail or other MDA might try to deliver some emails > - savecore: crash dumps would be handled > - etc.. > > Therefore you are correct, doing it properly requires that /var be > mounted well before any daemons start. Following rcorder we get a > ranking w/ a few possible entry points: > preseedrandom > rcconf.sh > initrandom > dumpon > vinum > gbde_swap <- > gbde <- here (works fine, no dependencies on /var yet) > ccd // should ccd come before gbde ? > swap1 > early.sh -> /etc/rc.early <- or perhaps here for custom attaches > fsck > root > mountcritlocal > var > cleanvar [ /var ] > addswap > sysctl > random [ /var/db/entropy ] > NETWORKING [ /var/db .. ] > mountcritremote > syslogd [ /var/log ] > savecore [ /var/crash ] // If encrypted swap, may not work > etc. > > # grep -nR var `rcorder /etc/rc.d/*|awk '/mountcritlocal/{nextfile;} {print}'` > > Note with the provided gbde rc script: -l/-L is required and expects > lock files to be made in /etc though you can also specify a gbde_lockdir > in /etc/rc.conf such as /etc/bde to store all your keys. (Remember > to take frequent back-ups). > > > > There are several approaches to securing /etc, but I can elaborate > > > more after further testing. The short term approach is not storing > > > private keys, etc. on an unencrypted root. Support for encrypted > > > root is possible w/ some work, but there are a few issues to sort > > > out first. > > > > Do I need an encrypted root? What would be the main benefit of this? > > The benefit would be to guarantee that nothing of importance is > stored in the clear on /. > > Normally / is limited to system files, but as you've mentioned system > files can be private keys or password databases, and it's possible for > something else to be written by anyone w/ sufficient permissions. > Restrictive permissions combined with encryption of sensitive areas > of the file system could prevent most leakage scenarios absent full > disk or root encryption. > > > I think I'd need an encrypted /var (as it holds logs, mail&printer spool, > > ...), and possibly /etc/ssh/ - any other sensitive system areas (besides > > swap). > > You could easily use gbde here by using a vnode backed md, though > there are some more direct approaches to vnode level encryption: > > Example md usage > setup: > mv /etc/ssh /etc/ssh.dist > mdconfig -a -t vnode -f /etc/ssh.bde -s 4m -u 22 > gbde init /dev/md22 -f /dev/stdin<<-_INIT_ > number_of_keys=3D4 > random_flush=3Dyes > _INIT_ > gbde attach /dev/md22 > newfs -o space /dev/md22.bde > mkdir -p /etc/ssh; chmod 755 /etc/ssh > mount /dev/md22.bde /etc/ssh > cp -RPp /etc/ssh.dist/* /etc/ssh &&\ > rm -rf /etc/ssh.dist > startup: > gbde attach /dev/md22 &&\ > mount /dev/md22.bde /etc/ssh > shutdown: > umount /dev/md22.bde &&\ > gbde detach /dev/md22 > > The same of course would apply to any private keys/password databases > and certificates. > > > Where do you stand now with your setup? I'd be grateful to learn from your > > experience. > > I've done the encrypted /var and /tmp successfully and w/ provided rc > scripts as well. I will continue experimentation on GBDE for > root/full system image setups. > > I plan to elaborate further on the subject and will post more details > to the lists. I can try to collect some practical examples, as I > originally set out to do earlier this summer, and put up a web page. > --------------------------------------------------------------------------- Dr David Philip Kreil Research Fellow, Darwin College, | WWTF Vienna Science Chair of University of Cambridge | Bioinformatics, Dept of Biotechnology, ++44 1223 764107, fax 7092 810040 | c/o IAM / BOKU, A-1190 Muthgasse 18 www.inference.phy.cam.ac.uk/dpk20 | ++43 1 360066830 From owner-freebsd-fs@FreeBSD.ORG Fri Jul 15 09:24:22 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EAF416A41C; Fri, 15 Jul 2005 09:24:22 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from haven.freebsd.dk (haven.freebsd.dk [130.225.244.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9F1B43D48; Fri, 15 Jul 2005 09:24:21 +0000 (GMT) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (unknown [192.168.48.2]) by haven.freebsd.dk (Postfix) with ESMTP id 7371EBC83; Fri, 15 Jul 2005 09:24:19 +0000 (UTC) To: David Kreil From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 14 Jul 2005 21:37:36 BST." <200507142037.j6EKbaf12941@parrot.ebi.ac.uk> Date: Fri, 15 Jul 2005 11:24:18 +0200 Message-ID: <9297.1121419458@phk.freebsd.dk> Sender: phk@phk.freebsd.dk Cc: freebsd-fs@freebsd.org, Poul-Henning Kamp , freebsd-questions@freebsd.org Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" thoroughly? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2005 09:24:22 -0000 In message <200507142037.j6EKbaf12941@parrot.ebi.ac.uk>, David Kreil writes: > >Dear Poul-Henning, > >After a job induced pause in my strong interest in encryption solutions, >I have on my return tried to learn what has since changed with gbde. I must > be missing the obvious because I cannot locate a "changelog" or "release > notes" document. Not much has happened :-) In FreeBSD you need to study the cvs logs to see what happened. http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/geom/bde/?hideattic=0 >You have been most helpful in our discussion last year. I have now, in >particular, been wondering whether you have since at all had a chance of >revisiting the issue of blackening keys with multiple physical random >overwrite before resetting them to zero to avoid key recovery by methods >as available from companies like www.dataclinic.co.uk. I have talked with some people from various disk manufactureres who know what they talk about and their unanimous advice is: "forget it". The geometry of modern disk R/W heads does not allow you to do anything which will be really efficient. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-fs@FreeBSD.ORG Fri Jul 15 10:14:29 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E30016A41C; Fri, 15 Jul 2005 10:14:29 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0CD343D67; Fri, 15 Jul 2005 10:14:20 +0000 (GMT) (envelope-from kreil@ebi.ac.uk) Received: from parrot.ebi.ac.uk (parrot.ebi.ac.uk [193.62.196.69]) by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id j6FAEDQ21657; Fri, 15 Jul 2005 11:14:13 +0100 (BST) Received: from parrot.ebi.ac.uk (kreil@localhost) by parrot.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id j6FAEDt02003; Fri, 15 Jul 2005 11:14:13 +0100 Message-Id: <200507151014.j6FAEDt02003@parrot.ebi.ac.uk> X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4 To: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 15 Jul 2005 11:24:18 +0200." <9297.1121419458@phk.freebsd.dk> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 15 Jul 2005 11:14:13 +0100 From: David Kreil X-EBI-Information: This email is scanned using www.mailscanner.info. X-EBI: Found to be clean X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5, HABEAS_SWE -8.00) Cc: freebsd-fs@freebsd.org, David Kreil , freebsd-questions@freebsd.org Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" thoroughly? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2005 10:14:29 -0000 Dear Poul-Henning, Thank you for your fast and friendly reply! > In FreeBSD you need to study the cvs logs to see what happened. > = > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/geom/bde/?hideattic=3D0> Ah, thanks! > >You have been most helpful in our discussion last year. I have now, in= = > >particular, been wondering whether you have since at all had a chance = of = > >revisiting the issue of blackening keys with multiple physical random = > >overwrite before resetting them to zero to avoid key recovery by metho= ds = > >as available from companies like www.dataclinic.co.uk. > = > I have talked with some people from various disk manufactureres who > know what they talk about and their unanimous advice is: "forget it". > The geometry of modern disk R/W heads does not allow you to do anything= > which will be really efficient. This, however, would not matter due to the beauty of the gbde design! The= = areas that one would need to "wipe" are very small. All we need to thorou= ghly = destroy are the keys, then the rest can safely stay in place. So, even if one doesn't know how to disable device caching, if a typical = disk = cash is 8MB, I suppose one could flush it through by writing 20MB. so, if= one = has |key|20MB bla| on disk and one wrote |random|20MB bla| that should ge= the = "random" bits overwriting the key on disk (but for hardware level sector = remapping but that is a rare event). One would have to bypass the operati= ng = system cache though but I guess you would know how to do that, right? This should take less than 1s on a modern disk, i.e., less than half a mi= nute = for the entire procedure, x4 =3D 1-2 minutes, which should be fast enough= for a = final destruction. Would it be a lot of work for someone knowledgable to implement that? I'd= be = happy to help but my knowledge of FreeBSD internals is sketchy to say the= = least. What do you think? I much look forward to hearing from you. With best regards, David. -------------------------------------------------------------------------= -- Dr David Philip Kreil = Research Fellow, Darwin College, | WWTF Vienna Science Chair of University of Cambridge | Bioinformatics, Dept of Biotechnology, ++44 1223 764107, fax 7092 810040 | c/o IAM / BOKU, A-1190 Muthgasse 18 www.inference.phy.cam.ac.uk/dpk20 | ++43 1 360066830 From owner-freebsd-fs@FreeBSD.ORG Fri Jul 15 11:58:13 2005 Return-Path: X-Original-To: freebsd-fs@FreeBSD.ORG Delivered-To: freebsd-fs@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19DE116A41C for ; Fri, 15 Jul 2005 11:58:13 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68C1843D48 for ; Fri, 15 Jul 2005 11:58:12 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jktuxo@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j6FBw9Lc011931 for ; Fri, 15 Jul 2005 13:58:09 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j6FBw96T011930; Fri, 15 Jul 2005 13:58:09 +0200 (CEST) (envelope-from olli) Date: Fri, 15 Jul 2005 13:58:09 +0200 (CEST) Message-Id: <200507151158.j6FBw96T011930@lurza.secnetix.de> From: Oliver Fromme To: freebsd-fs@FreeBSD.ORG In-Reply-To: <200507151014.j6FAEDt02003@parrot.ebi.ac.uk> X-Newsgroups: list.freebsd-fs User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" thoroughly? X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-fs@FreeBSD.ORG List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2005 11:58:13 -0000 David Kreil wrote: > [...] > So, even if one doesn't know how to disable device caching, if a typical disk > cash is 8MB, I suppose one could flush it through by writing 20MB. so, if one > has |key|20MB bla| on disk and one wrote |random|20MB bla| that should ge the > "random" bits overwriting the key on disk (but for hardware level sector > remapping but that is a rare event). One would have to bypass the operating > system cache though but I guess you would know how to do that, right? > This should take less than 1s on a modern disk, i.e., less than half a minute > for the entire procedure, x4 = 1-2 minutes, which should be fast enough for a > final destruction. That sounds like you want to overwrite the same location on the disk more than a hundred times. That's not even paranoid, it's completely pointless. I suggest you read this document, ESPECIALLY the section "Epilogue" near the end: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html It suggests that -- with any modern hard disk drive -- a few passes (say three) of overwriting with random data are completely sufficient. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." -- David Bradley, original IBM PC design team