1. You don't really need to fdisk. 2. People should be advised to use softraid crypto now. 3. You don't specify a NUMBER or explain its importance.
The last part is probably the part most people don't understand, so I'll explain that more fully here. bioctl says the default for a similar keying scheme is 8192, but there's no special reason it must or should be a power of two. The number of rounds used determines how difficult it is to crack your password, after an attacker recovers the salt and the encrypted volume. More rounds means more work per guess. So you may want to run some experiments, raising the number until it takes 10 seconds, for instance, or whatever you consider an acceptable amount of time to wait. The time and effort increases linearly, doubling rounds means doubling the time. Some numbers to consider. At 1 second per guess, it takes about a day and a half to go through half of /usr/share/dict/words. In order to get the effort up to just 1 second on my laptop, I need 30000 rounds, 4x the default. You could try using 300,000 rounds, that would buy you maybe a week of time if you chose a weak password. Just remember that unlike doubling the size of a crypto key or increasing the length of your password, for increasing rounds, pain and gain are directly linearly proportional. But there's a limit to how high the rounds should go. In order to get that same 10x assurance in time, you could also just add a number on to the end of your dictionary word and save yourself the annoyance every time you log in. Adding just two letters to your password probably buys you more time than you'd ever be willing to pay. In the past, I've hesitated to recommend a number, but in consideration of the fact that your choice of password domain and length matters far more, I'll throw out a generalization. I think increasing above the default makes sense, but probably not more than about 1 second, where it will start to annoy you. 30k-40k rounds, let's say. 4. If you stick with vnconfig, I'd make a slightly bigger deal about backing up the salt. People may have a tendency to copy the vnd backing file as a backup, omitting the salt, which makes it impossible to restore. softraid stores the salt with the raidinfo, so you whatever you're doing for backup, you aren't as likely to omit it. On Fri, Oct 30, 2009 at 7:57 PM, Brad Tilley <b...@16systems.com> wrote: > I wrote some notes on how I normally encrypt /home on OpenBSD laptops. > I was hoping misc could read it and bash it around some. I'd like to > know if I'm doing something wrong. No jokes about Beck's ass please :) > > http://16systems.com/openbsd_laptop_encryption.txt
