/g/ - Technology
install openbsd
[Make a Post]OpenBSD softraid-crypto or reop:
https://www.openbsd.org/faq/faq14.html
https://humungus.tedunangst.com/r/reop
>>4430
You should. I would like to think that I'm rather autistic about writing crypto code correctly.
so is veracrypt nanochan approved?
i need to share an encrypted disk between Windows and Linux.
Encrypting storage mediums vs files are for protecting against different scenarios. Also the best encryption is an algorithm unique to yourself. Pick a popular and strong exist encryption algorithm and make a small change to it. Make sure this change doesn't decrease the strength of the algorithm. If you do this no commercial solutions will be able to decrypt your algorithm out of the box. This will mean they will have to dedicate time to reverse engineer your algorithm and then implement it into whatever program they are using for bruteforcing in / decryption using a password they have somehow acquired. The goal is for them to accidentally spend forever bruteforcing for the wrong algorithm.
>>4450
Depends why you are encrypting it. If it's just for regulatory reasons than go for it whatever. I'd personally avoid private files on Windows. Botnet software practices are much more common on that platform compared to GNU / Linux.
>>4454
It's my media disk, lots of pirared stuff, i need it on windows cause of vidya, i was planning on using btrfs as a filesystem so maybe you can give me an opinion also on that.
>>4454
>make a small change to it.
Don't do it. First rule of encryption: don't do it, unless you know what you're doing.
>>4458
>OY VEY GOY, don't protect yourself, let (((us))) do the work for you, ya goy bastid!
You reek of masonry, fucking anti-white kike.
File: 5481e0f17a703263bd8208220d615cc4bef9613dc8e832aa441205a45ddcc811.jpg (dl) (337.76 KiB)

>>4454
I hope that by "encryption algorithm changing" you mean an algorithm that actually requires a passphrase, i.e symmetric crypto and not some data mishmashing like with substitution cipher or something.
Because if it's the former, you still have your data hidden behind a passphrase and it's not clear why you would change the algorithm if it's secure in the first place. And if it's the latter, it's probably susceptible to frequency analysis or whatever.
File: bef6a568f817da31d395288e967f54c2112f7811456d6e8394b7117a1a3cbf58.jpg (dl) (326.85 KiB)

> It's my media disk, lots of pirared stuff, i need it on windows cause of vidya
What a time to live in.
People using strong crypto to hide pirated shit. xD
>>4473
Unless you know what you're doing, don't do it.
Even if you get a reference specification, such as AES-256, you might still be prone to errors (language specific, such as memory management) or timining attacks:
https://en.wikipedia.org/wiki/Timing_attack
Just use some know-good library:
https://github.com/jedisct1/libsodium
https://github.com/project-everest/hacl-star
If you really want to get into cryptography, the Cryptol language and TLA+ specifications can reduce the number of issues you would have using plain C:
https://www.cryptol.net/
https://lamport.azurewebsites.net/tla/tla.html
>>4458
>Don't do it
There's a reason I said to use an existing currently accepted algorithm in the crypto community. The ability to turn cipher text into random looking data makes covering your mistakes with your part of the algorithm easy.
>>4474
>Unless you know what you're doing, don't do it.
Don't you have some stack overflow posts you should be answering?
Timing attacks, power analysis attacks, not clearing memory, etc are not necessary depending on what scenario you are using the crypto code in.
File: 5a0bb89c6827d84533991c22f0f5d46b4f33f3626f330b751229d94d30b1521c.jpg (dl) (66.80 KiB)

>>4462
You are all lying, jewish shills who project an image of cryptography being harder than it is. You Masonic little fuckers keep spreading disinformation and subversiveness in order to prevent the goyim from learning or implementing cryptography. I use my own cryptography to protect my most important files, and they are more secure than any NSA-sanctioned Israeli bullshit you would reccommend.
Fuck off moshe, fuck off chaim. The goyim are writing their own encryption now, tough luck! You can't crack any of them anymore. There's nothing you can do about us protecting our own data. Does that make you mad Goldstein? Too bad!
The Goyim are writing their own encryption. The Goyim are protecting their data. And the KIKES are kvetching like mad!
File: 80cc3520f17425a662498b5d0ff07270e01ba1120528150b483ab030bf8ff482.png (dl) (831.86 KiB)

There's a regular gnu/linux installation with regular fde (unencrypted /boot/ and everything else on luks+lvm)
Then there's the actual gnu/linux system that I use:
The /boot/ partition is located on a flash drive that's almost always with me
The luks volume starts somewhere in the middle of that first system's luks volume, the header is stored on the flash drive.
So if someone gets to have physical access to my computer, the best they could do is perform an `evil maid` attack on the dummy system, which I don't give two shits about.
Or if someone really wants to see what I store on my PC I can seemingly comply and again just give them the password for the dummy system. That's assuming they don't know about the flash drive, of course.
Now, can openbsd do that?
>>4474 (me)
>>4475
Fine, go play with your substitution cipher.
>>4477
>Now, can openbsd do that?
AFAIK, with softraid-crypto the boot is encrypted on openbsd. The only part not encrypted is the one that executes the kernel if your passphrase is correct. Someone could temper this to keylog, but realistically they would be much better just using your firmware to do that or a dummy device:
https://ortegaalfredo.github.io/logic-monsters/
https://hackmag.com/security/rubber-ducky/
I would like to mention SiriKali which supports many different encrypted folder scenarios. https://github.com/mhogomchungu/sirikali
>>4479
But can it create an encrypted volume with a detached header, or in any other such way that wouldn't allow detecting the encrypted volume's presence?
>>4513
Don't know. You can create encrypted volumes without the system in it (using bioctl(8)) and you can also create a keydisk (the system will boot only with this keydisk attached - he generates a random key automatically).
But, I don't know if you can "detach header". Ask on openbsd-misc mailing list...
>>4476
>I use my own cryptography to protect my most important files, and they are more secure than any NSA-sanctioned Israeli bullshit you would reccommend
Depends on your threat model. If you're just encrypting your furry futa hentai then it's probably fine. I think the point people are trying to make though is that if somebody targets you in a serious way they will probably find a bug in your code or your algorithm unless you know what you're doing. And the bar is much much higher than you seem to think. Unless you've actually worked at an NSA-like organization breaking real world crypto then it would be better to assume you don't know what you're doing. Have you even broken any crypto systems as a hobby? Have you even looked at candidates for crypto standards like AES and understand the peer review comments and vulnerabilities that were found?
>Israeli bullshit
This obsession with Israel is weird. Jews have a disproportionate amount of influence but they're not gods. And more importantly they have a heck of a lot of enemies and all those enemies are using the same crypto so where's this backdoor?
>>4477
>The luks volume starts somewhere in the middle of that first system's luks volume, the header is stored on the flash drive.
That's cool actually. One thing to consider is if someone has repeated physical access they will see that the all the bytes before the real partition never change and bytes after that point do change so they'll be able to figure something is up. But then again someone with repeated physical access can plant a hardware keylogger or spy camera or something anyway.
>>4479
>Someone could temper this to keylog, but realistically they would be much better just using your firmware to do that
Backdooring an open source general purpose OS kernel is much easier than backdooring some obscure hardware specific firmware. Not least because firmware typically has the bare minimum resources (RAM/CPU/NVM etc.) to do only it's job and nothing else.
>>4514
>Ask on openbsd-misc mailing list...
Truth be told I've never encountered an OpenBSD shill on an imageboard who actually knew anything about anything...
>>4738
I'm not sure what do you mean, but I use OpenBSD for some years now. I'm actually posting through 6.5 release.
I don't claim to be an expert. But, having configured openbsd many times and read many things, I could at least help other anons.
>>4742
When you encrypt a disk you typically have a non-encrypted header to hold information like offset, length, algorithms, keyslots (for changing password) etc. Since bioctl doesn't seem to expose any of those parameters except -P I think it's almost definitely using a header.
The question is can you store that header separately from the encrypted data? Linux can with LUKS and --header switch.
Or can you just encrypt devices without a header and give all relevant parameters on the command line every time you decrypt? Linux can with cryptsetup (and no LUKS).
I'm not >>4513 but I think the point here is deniability. Encrypted data is indistinguishable from random noise so being able to move or avoid the header is important.
It kind of looks like OpenBSD has some magic commands that does what 90% of people want but nobody knows how it actually works or how to do something advanced.
I'm just tired of obnoxious kids shilling OpenBSD everywhere you look but when you engage them with an actual question they never have a clue.
>>4748
>The question is can you store that header separately from the encrypted data?
My answer is exact the same as I said before in >>4514
>when you engage them with an actual question they never have a clue.
The most simple answer for your question is "no", you can't store the header in other place. But I'm not sure because I'm not a developer, I'm just a user. If you want to complain do it on openbsd-misc.
Also, I'm shilling anything. You use any OS you want. We are in a imageboard, if you don't want to discuss anything, prove my arguments are wrong or just troll you can just go to >>>/l/ or leave.
Forget the tools you retarded nerds.
What encryption ciphers do you use?
File: 664218e640c3c998926697a6e18c95bac8ed22e69b522593d1b20c4a4061c512.jpg (dl) (87.55 KiB)

>>4811
I use one of the MS Windows. The seed for encryption comes from the TPM, it's
>"trusted".
I also use antivirus software which is constantly checking file hashes on every file with which I interact and it pre-checks every link on the web. I am perfectly safe.
File: 5c0e3e76fba08acf600f07b2dfb50abcee77b62fd043cee35b94f9a29b0fe380.jpg (dl) (26.69 KiB)

>>4477
Does the USB device UID show up in the log files when you attach/detach it from the computer?
https://www.dyne.org/software/tomb/
You can store tombs within images, audio files, virtual machines, and rename both the keys and the files to essentially change the file format and disappear the volume. It's an interesting system.
>>4748
What are good methods of backing up Luks headers? I'm thinking of storing the header in efivars however I still want to be able to backup the header incase I want to recover data from my drive on another computer.
>>4854
I dislike those kinds of solutions. it seems like security theater without knowing wether its usefull. salts and passwords are better stored completely off machine or at a known good location for specific attacks. besides, all files possible on my machine are encrypted, there are no files to store keys within and only encrypting specific files gives you the opposite of denyability.
>>4854
Oh yeah, and people working in infosec dealing with intellectual property theft have tools to recognise when file formats dont correspond to typical data stored in them. (Like when you change a confidential pdf doc into .mp4 and change the name to Beyonce) So unless you know these tools in and out you might literally put the keyfile at the top of their list.
There was a youtube video but I'm too lazy to search for it and yt has prolly banned it.
You can always multi hide inside a virtual machine. Open VirtualBox, run Whonix or whatever, download tomb, create file, create key, save, rename files, they lose their original format and bcome apple files, hide those files in steghide files, multiple keys, multiple formats, files within files within VM.
>What are good methods of backing up Luks headers
Put them on a microsd card which you keep hidden off site.
So Mossad can hack me if I just encrypted following Linux installation default method? Will microwaving destroy evidence of blaming kikes on everything?
>>5222
I highly discourage you using this. They say on their page AES-256 is broken. This show how they are incapable of understanding cryptography.
First link they point to a TEMPEST attack on AES. This is a side-channel attack, not crypto attack, and can happen with any kind of cryptography. The same with timing attacks, accoustic analysis or deterministic RNG.
The second link says quantum computers break AES-256. Daniel Berstein said on CCC that AES-256 is one of the few crypto that wouldn't be broke by quantum cryptoanalysis.
I highly discourage you using this. They say on their page AES-256 is broken. This show how they are incapable of understanding cryptography.
First link they point to a TEMPEST attack on AES. This is a side-channel attack, not crypto attack, and can happen with any kind of cryptography. The same with timing attacks, accoustic analysis or deterministic RNG.
The second link says quantum computers break AES-256. Daniel Berstein said on CCC that AES-256 is one of the few crypto that wouldn't be broke by quantum cryptoanalysis.
So this is maybe a dumb question but I have been using the enc command through OpenSSL to encrypt and decrypt files on my local machine. Is there anything wrong with doing this? I havent seen it recommended in this thread but using AES192-CBC seemed like a good option and has been my goto.
Can anyone tell me if there is something wrong with this?
Can anyone tell me if there is something wrong with this?
File: 8530ff9844498b15dd0358d505b2e8e83df38fe969dadd9bcf4e70ccccc08ecd.png (dl) (226.55 KiB)

>>6549
There is not necessarily a problem with what you are doing. I'm pretty sure Wikileaks has actually released insurance files that were merely openssl encrypted.
There is not necessarily a problem with what you are doing. I'm pretty sure Wikileaks has actually released insurance files that were merely openssl encrypted.
when I share child pornography with my pedo friends on the internet, we encrypt the file using 7-Zip, then we upload it to clearnet file sharing website, then post link and password on pedo forum
7-Zip uses AES and it's open source, it's great for child porn
7-Zip uses AES and it's open source, it's great for child porn
>>6549
Not bad, but you should use LibreSSL or Everest:
https://project-everest.github.io/
OpenSSL is not trustworthy.
You can also try reop:
https://humungus.tedunangst.com/r/reop
>AES192-CBC
Not sure about that. AES-256 should always be prefered.
Not bad, but you should use LibreSSL or Everest:
https://project-everest.github.io/
OpenSSL is not trustworthy.
You can also try reop:
https://humungus.tedunangst.com/r/reop
>AES192-CBC
Not sure about that. AES-256 should always be prefered.
[Catalog][Overboard][Update]
[Reply]7 files, 55 replies
Which tools do you use to encrypt your data?Do you encrypt entire storage medium or just particular files?