vncrypt-users

[vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[ide <id...@my...>]

It is calamity when missing keyfile,so encrypt virtdisk with password only =
is good idea,can it come true?

The other questions:
1,How big file vncrypt can support?10G=A1=A220G=A3=BF or more?
2=A3=ACCan it work stable under 4.8 and 5.1 or higher?
3,The virtdisk was made under 4.8, would it be used under 5.1 or higher?

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[Jean M. <jm...@pl...>]

hi

On Thu, 04 Sep 2003 00:15:04 +0800, ide wrote
> It is calamity when missing keyfile,so encrypt virtdisk with=20
> password only is good idea,can it come true?

not sure this is feasible, imho. but i'm no coder.
why not backing up keyfile offsite ?

> The other questions:
> 1,How big file vncrypt can support?10G=A1=A220G=A3=BF or more?

i experienced up to 80Go, my guess is that it can even work with bigger d=
isks
bad luck it's slow to read/write data encrypted, but one can't have=20
performance and security at the same time

> 2=A3=ACCan it work stable under 4.8 and 5.1 or higher?

works fine, afaik, under 4.x, i was unable to compile it for 5.1, so i ha=
d to=20
dump files from one box to another when i upgraded my system to 5.1

> 3,The virtdisk was made under 4.8, would it be used under 5.1 or higher=
?

can't reply to this, but with GEOM/BDE now existing in 5.x i doubt it. it=
=20
already seems that tcfs, from the ports also, has been abandonned. i don'=
t=20
know if vncrypt is still supported or at least will be upgraded to 5.x or=
=20
follow the same path. there is not much talk in the ML since i applied, s=
o...

-J.
--
No trees were destroyed in the sending of this message, however a
significant number of electrons were terribly inconvenienced.

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[Tommi <st...@ik...>]

On Wed, Sep 03, 2003 at 07:35:53PM +0100, Jean Martin wrote:
> > The other questions:
> > 1,How big file vncrypt can support?10G=A1=A220G=A3=BF or more?
>=20
> i experienced up to 80Go, my guess is that it can even work with bigger=
 disks
> bad luck it's slow to read/write data encrypted, but one can't have=20
> performance and security at the same time

done 240 gigs. Took 6 hours to make the dummy file.

> > 2=A3=ACCan it work stable under 4.8 and 5.1 or higher?
>=20
> works fine, afaik, under 4.x, i was unable to compile it for 5.1, so i =
had to=20
> dump files from one box to another when i upgraded my system to 5.1

Haven't been able to compile either. Also, the sourceforge site suggests =
that it never will.

I'd give a serious thought to moving to GEOMBDE http://www.freebsd.org/do=
c/en_US.ISO8859-1/books/handbook/disks-encrypting.html
Gives loads of performance while incorporating better cryptographic algor=
tihms.

--=20
Sty

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[Jean M. <jm...@pl...>]

On Wed, 3 Sep 2003 21:56:38 +0300, Tommi L=E4tti wrote
> On Wed, Sep 03, 2003 at 07:35:53PM +0100, Jean Martin wrote:
> > > The other questions:
> > > 1,How big file vncrypt can support?10G=A1=A220G=A3=BF or more?
> >=20
> > i experienced up to 80Go, my guess is that it can even work with bigg=
er=20
disks
> > bad luck it's slow to read/write data encrypted, but one can't have=20
> > performance and security at the same time
>=20
> done 240 gigs. Took 6 hours to make the dummy file.

'only' 6 hours for 240Go, which crypto was used ?
i recall i had roughly around this time for my 80Go, using cbc-blowfish m=
ax=20
level availlable, and i'm not sure i was blocked because of the load. to=20
improve speed i would have had to use a lesser encryption level/algo but=20
security was most important.

> > > 2=A3=ACCan it work stable under 4.8 and 5.1 or higher?
> >=20
> > works fine, afaik, under 4.x, i was unable to compile it for 5.1, so =
i had=20
to=20
> > dump files from one box to another when i upgraded my system to 5.1
>=20
> Haven't been able to compile either. Also, the sourceforge site=20
> suggests that it never will.

most probably, yep.

> I'd give a serious thought to moving to GEOMBDE=20
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypt=
ing.
html
> Gives loads of performance while incorporating better cryptographic=20
algortihms.

i fully agree on this, much more than vncrypt does ever, but the more=20
powerfull your box is the more you can get from it as i have been able to=
=20
experience, which is something i couldn't get with vncrypt it seemed to r=
each=20
a bottleneck whatever CPU i used (but it may be because of me not doing t=
he=20
right things.. unlikely but..) and i got better crypto and functionalitie=
s,=20
but this is OT.
so, quoting myself, one can't have both security and performance.

however to stay close to this ML main theme, and to get back to the origi=
nal=20
post, if you want to avoid keyfile considering it to be a single point of=
=20
failure or else, GEOM/BDE is a possible alternative, vncrypt won't provid=
e=20
this kind of trick because of it's concept

but bear in mind that either solution makes you stick to one or the other=
=20
architecture as you can't mix vncrypt with 5.1+ or bde with 4.x, at prese=
nt at=20
least. thus making each of them complementary regarding to your system.

-J.

> --=20
> Sty

--
No trees were destroyed in the sending of this message, however a
significant number of electrons were terribly inconvenienced.

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[relay.infosec.ru <bl...@ru...>]

> done 240 gigs. Took 6 hours to make the dummy file.

What is "dummy file"? Crypto container or file on crypto disk?

>> works fine, afaik, under 4.x, i was unable to compile it for 5.1, so i
had to
>> dump files from one box to another when i upgraded my system to 5.1

> Haven't been able to compile either. Also, the sourceforge site suggests
that it never will.

Vncrypt never will, trust me :)
mdcrypt is for 5.x-CURRENT.
http://sourceforge.net/forum/forum.php?forum_id=204869
Almost same code, but in another "wrapper".

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[relay.infosec.ru <bl...@ru...>]

> can't reply to this, but with GEOM/BDE now existing in 5.x i doubt it. it
> already seems that tcfs, from the ports also, has been abandonned. i don't
> know if vncrypt is still supported or at least will be upgraded to 5.x or
> follow the same path. there is not much talk in the ML since i applied,
so...

Looking at GBDE, i thought its _TOO_MUCH_PARANOID_ (anyone really care about
AES insecurity? REALLY?) and looking at mdcrypt/vncrypt development. Can
anyone make some performance tests on mdcrypt and GBDE? Vncrypt was not
developed last year mostly because there is no user feedback at all, and
there is only few questions about 5-X version in last two months.

Sorry for bad english, it's not my native, and i'm on vacation, drunk and so
on :)))))

Re: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[Jean M. <jm...@pl...>]

Hi :)

not drunk anymore ? how is your head ;) for the english it's ok, it's not my mother tongue either so..!

well, i agree on the paranoid stuff, but i would say that if you're a sysadmin, either you're paranoid before applying 
for the job either you become quickly paranoid ! personnaly i was a little before applying and got more and more as time 
goes by ! 
and that's partly why i'm not using the corporate OS/software that my company wants its employees to use on my laptop 
but a nice, stable and as secure as possible freebsd

for the benchmarking of GBDE and mdcrypt i can find some time to do some and let you know the results asap

see ya !
-j.

On Sun, 7 Sep 2003 00:13:14 +0400, relay.infosec.ru wrote
> > can't reply to this, but with GEOM/BDE now existing in 5.x i doubt it. it
> > already seems that tcfs, from the ports also, has been abandonned. i don't
> > know if vncrypt is still supported or at least will be upgraded to 5.x or
> > follow the same path. there is not much talk in the ML since i applied,
> so...
> 
> Looking at GBDE, i thought its _TOO_MUCH_PARANOID_ (anyone really care about
> AES insecurity? REALLY?) and looking at mdcrypt/vncrypt development. Can
> anyone make some performance tests on mdcrypt and GBDE? Vncrypt was not
> developed last year mostly because there is no user feedback at all, and
> there is only few questions about 5-X version in last two months.
> 
> Sorry for bad english, it's not my native, and i'm on vacation, drunk and so
> on :)))))
> 

--
No trees were destroyed in the sending of this message, however a
significant number of electrons were terribly inconvenienced.

Re[2]: [vncrypt-users] Can I encrypt virtdisk with password instead of keyfile?

[Andrey S. <bl...@ru...>]

Tuesday, September 9, 2003, 7:26:15 PM, you wrote:

JM> well, i agree on the paranoid stuff, but i would say that if
JM> you're a sysadmin, either you're paranoid before applying 
JM> for the job either you become quickly paranoid ! personnaly i was
JM> a little before applying and got more and more as time goes by !

IANARCE (I Am Not A Real Crypto Expert :) but it looks like covering
Abrams tank with some wood plates, "to increase armor strength".
Computing passphrase entropy and requiring it to be "good enough"
will be more useful security feature than some complex algorithms
protecting against potential AES weakness.

JM> and that's partly why i'm not using the corporate OS/software that
JM> my company wants its employees to use on my laptop 
JM> but a nice, stable and as secure as possible freebsd

JM> for the benchmarking of GBDE and mdcrypt i can find some time to
JM> do some and let you know the results asap 

Thanks. I'm very interested how much this additional security costs,
and I have no 5.x installed right now.

-- 
Best regards,
 Andrey                            mailto:bl...@ru...