Re: Why overwrite first megabyte of encrypted disk?

2016-05-31 Thread Nick Holland 
On 05/25/16 13:34, Robert Campbell wrote:
> https://www.openbsd.org/faq/faq14.html#softraid
> 
> In the FAQ > Disk Setup > Full Disk Encryption section there are these
> lines after the encrypted drive has been set up:
> 
>>   As in the previous example, we'll overwrite the first megabyte of our
> new pseudo-device.
>>
>>   # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> 
> Why?
> 
> It isn't clear to me why I'd want to do this. It's clear in the referenced
> "previous example" why you'd want actual random data to surround the
> random-looking encrypted data to obscure its presence/boundary.
> 

personally, I've found it more useful to zero the component disks BEFORE
creating the softraid device, as (at least in my stockpile of disks)
very often the disks already been used in softraid testing and
experimentation, and thus have the remains of a softraid partition
hidden away on the disk.  While this is good for recovery, it tends to
make experimentation more challenging...and experimenting with any RAID
system is a requirement for a sane install and at least early on, the
error messages when bioctl found a softraid partition you didn't know
about were cryptic.

Zeroing the head of an encrypted disks after creation is a probably a
Good Idea, because whatever was on the disk before now looks like rather
random data...and random data has an unfortunately habit of looking like
on-disk data structures that might prove irritating to you.

Nick.

Re: Why overwrite first megabyte of encrypted disk?

2016-05-25 Thread Raul Miller 
On Wed, May 25, 2016 at 2:12 PM, Theo Buehler  wrote:
> From http://man.openbsd.org/bioctl.4:

I think you meant http://man.openbsd.org/bioctl.8

Thanks,

-- 
Raul

Re: Why overwrite first megabyte of encrypted disk?

2016-05-25 Thread Theo Buehler 
On Wed, May 25, 2016 at 07:35:04PM +0200, Robert Campbell wrote:
> https://www.openbsd.org/faq/faq14.html#softraid
> 
> In the FAQ > Disk Setup > Full Disk Encryption section there are these
> lines after the encrypted drive has been set up:
> 
> >   As in the previous example, we'll overwrite the first megabyte of our
> new pseudo-device.
> >
> >   # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> 
> Why?
> 
> It isn't clear to me why I'd want to do this. It's clear in the referenced
> "previous example" why you'd want actual random data to surround the
> random-looking encrypted data to obscure its presence/boundary.
> 

>From http://man.openbsd.org/bioctl.4:

After creating a newly encrypted disk, the first
 megabyte of it should be zeroed, so tools like fdisk(8) or disklabel(8)
 don't get confused by the random data that appears on the new disk.  This
 can be done with the following command (assuming the new disk is sd3):

# dd if=/dev/zero of=/dev/rsd3c bs=1m count=1

The "previous example" alluded to refers to "installing to a mirror",
more precisely this section:

Because the new device probably has a lot of garbage where you
expect a master boot record and disklabel, zeroing the first
chunk of it is highly recommended. Be very careful with this
command; issuing it on the wrong device could lead to a very bad
day. This assumes that the new softraid device was created as
sd0.

# dd if=/dev/zero of=/dev/rsd0c bs=1m count=1

This could probably be made a bit clearer.

Why overwrite first megabyte of encrypted disk?

2016-05-25 Thread Robert Campbell 
https://www.openbsd.org/faq/faq14.html#softraid

In the FAQ > Disk Setup > Full Disk Encryption section there are these
lines after the encrypted drive has been set up:

>   As in the previous example, we'll overwrite the first megabyte of our
new pseudo-device.
>
>   # dd if=/dev/zero of=/dev/rsd0c bs=1m count=1

Why?

It isn't clear to me why I'd want to do this. It's clear in the referenced
"previous example" why you'd want actual random data to surround the
random-looking encrypted data to obscure its presence/boundary.