Re: Why overwrite first megabyte of encrypted disk?
On 05/25/16 13:34, Robert Campbell wrote: > https://www.openbsd.org/faq/faq14.html#softraid > > In the FAQ > Disk Setup > Full Disk Encryption section there are these > lines after the encrypted drive has been set up: > >> As in the previous example, we'll overwrite the first megabyte of our > new pseudo-device. >> >> # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > > Why? > > It isn't clear to me why I'd want to do this. It's clear in the referenced > "previous example" why you'd want actual random data to surround the > random-looking encrypted data to obscure its presence/boundary. > personally, I've found it more useful to zero the component disks BEFORE creating the softraid device, as (at least in my stockpile of disks) very often the disks already been used in softraid testing and experimentation, and thus have the remains of a softraid partition hidden away on the disk. While this is good for recovery, it tends to make experimentation more challenging...and experimenting with any RAID system is a requirement for a sane install and at least early on, the error messages when bioctl found a softraid partition you didn't know about were cryptic. Zeroing the head of an encrypted disks after creation is a probably a Good Idea, because whatever was on the disk before now looks like rather random data...and random data has an unfortunately habit of looking like on-disk data structures that might prove irritating to you. Nick.
Re: Why overwrite first megabyte of encrypted disk?
On Wed, May 25, 2016 at 2:12 PM, Theo Buehler wrote: > From http://man.openbsd.org/bioctl.4: I think you meant http://man.openbsd.org/bioctl.8 Thanks, -- Raul
Re: Why overwrite first megabyte of encrypted disk?
On Wed, May 25, 2016 at 07:35:04PM +0200, Robert Campbell wrote: > https://www.openbsd.org/faq/faq14.html#softraid > > In the FAQ > Disk Setup > Full Disk Encryption section there are these > lines after the encrypted drive has been set up: > > > As in the previous example, we'll overwrite the first megabyte of our > new pseudo-device. > > > > # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > > Why? > > It isn't clear to me why I'd want to do this. It's clear in the referenced > "previous example" why you'd want actual random data to surround the > random-looking encrypted data to obscure its presence/boundary. > >From http://man.openbsd.org/bioctl.4: After creating a newly encrypted disk, the first megabyte of it should be zeroed, so tools like fdisk(8) or disklabel(8) don't get confused by the random data that appears on the new disk. This can be done with the following command (assuming the new disk is sd3): # dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 The "previous example" alluded to refers to "installing to a mirror", more precisely this section: Because the new device probably has a lot of garbage where you expect a master boot record and disklabel, zeroing the first chunk of it is highly recommended. Be very careful with this command; issuing it on the wrong device could lead to a very bad day. This assumes that the new softraid device was created as sd0. # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 This could probably be made a bit clearer.
Why overwrite first megabyte of encrypted disk?
https://www.openbsd.org/faq/faq14.html#softraid In the FAQ > Disk Setup > Full Disk Encryption section there are these lines after the encrypted drive has been set up: > As in the previous example, we'll overwrite the first megabyte of our new pseudo-device. > > # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 Why? It isn't clear to me why I'd want to do this. It's clear in the referenced "previous example" why you'd want actual random data to surround the random-looking encrypted data to obscure its presence/boundary.
