Re: Do I need to wipe encrypted dual boot NVME before installation
> Why would you complicate it like that? >Just install OpenBSD anew. I ask because I like things to be cleaned. I don't think it's complicate to wipe the LUKS header Just I don't know so much about encryption and don't want to make a mistake that could compromise the security and privcay it offers. But I had the answer to my question so I'm okay with this problem. -- kz
Re: Do I need to wipe encrypted dual boot NVME before installation
> > I have a dual boot Devuan/OpenBSD, I wrote random data on my > > drive Whoy wuld you "write random data" on a drive you are about to reinstall? > > and then install the OSes, both are encrypted. > > Now, I want to remove this dual boot to have only OpenBSD > > and use it as a daily driver. Sure. > > My plan for this is to boot a GNU/Linux live usb, erase LUKS keys > > with cryptsetup command, use the wipefs command to erase LUKS > > header and reinstall OpenBSD with full disk encryption. > > Is it secure enough ? Do I need to do something with OpenBSD > > encrypted data as I have to with the LUKS keys/header on GNU/Linux ? Why would you complicate it like that? Just install OpenBSD anew.
Re: Do I need to wipe encrypted dual boot NVME before installation
Everything is clear now. Even if I messed up with the dd command I understood what I needed to do : With GNU/Linux live : # cryptsetup erase /dev/nvme0n1p3 (my LUKS partition) # wipefs -a /dev/nvme0n1p3 With OpenBSD shell : # sysctl hw.disknames # cd /dev # sh MAKEDEV sd0 (my encrypted device) # dd if=/dev/urandom of=/dev/rsd0c bs=1m count=1 Like that I have a clean device ready to welcome OpenBSD. Thanks you. -- kz
Re: Do I need to wipe encrypted dual boot NVME before installation
If I understand your question correctly, you trying to ensure that the encryption key for your existing OpenBSD installation is specifically destroyed before re-using the disk, to protect against the possibility that somebody with access to the disk could use that key to decrypt the softraid crypto partition before the encrypted data has been overwritten simply due to regular usage of the disk after re-installation. There is no specific tool in the OpenBSD base system to do this. However the key material for an OpenBSD softraid cypto partition is stored along with the other softraid metadata at the beginning of the partition, so it can quickly and easily be overwritten using dd to write random data to the first megabyte or so. This is what I was looking for. You understood my question perfectly. I just have to know how to overwrite softraid metadata of my partition because it's not a the begining of the drive so I guess it's not the first megabyte. Thanks. -- kz
Re: Do I need to wipe encrypted dual boot NVME before installation
On Sat, Jun 15, 2024 at 09:01:51AM +, lafermedesanim...@posteo.net wrote: > I have a dual boot Devuan/OpenBSD, I wrote random data on my > drive and then install the OSes, both are encrypted. > Now, I want to remove this dual boot to have only OpenBSD > and use it as a daily driver. > My plan for this is to boot a GNU/Linux live usb, erase LUKS keys > with cryptsetup command, use the wipefs command to erase LUKS > header and reinstall OpenBSD with full disk encryption. > Is it secure enough ? Do I need to do something with OpenBSD > encrypted data as I have to with the LUKS keys/header on GNU/Linux ? If I understand your question correctly, you trying to ensure that the encryption key for your existing OpenBSD installation is specifically destroyed before re-using the disk, to protect against the possibility that somebody with access to the disk could use that key to decrypt the softraid crypto partition before the encrypted data has been overwritten simply due to regular usage of the disk after re-installation. There is no specific tool in the OpenBSD base system to do this. However the key material for an OpenBSD softraid cypto partition is stored along with the other softraid metadata at the beginning of the partition, so it can quickly and easily be overwritten using dd to write random data to the first megabyte or so.
Re: Do I need to wipe encrypted dual boot NVME before installation
On Sat, 15 Jun 2024 10:01:51 +0100, lafermedesanim...@posteo.net wrote: > > I have a dual boot Devuan/OpenBSD, I wrote random data on my > drive and then install the OSes, both are encrypted. > Now, I want to remove this dual boot to have only OpenBSD > and use it as a daily driver. > My plan for this is to boot a GNU/Linux live usb, erase LUKS keys > with cryptsetup command, use the wipefs command to erase LUKS > header and reinstall OpenBSD with full disk encryption. > Is it secure enough ? Do I need to do something with OpenBSD > encrypted data as I have to with the LUKS keys/header on GNU/Linux ? > Probably I don't understand your attack vecor, but where I stay if you reinstall with reformat whole disk, old data on the disk will be replaced or not, but it shouldn't create an issue, should it? -- wbr, Kirill