is zeroing CRYPT needed?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

is zeroing CRYPT needed?

obsd, cgi
according to:
http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl

dd if=/dev/zero of=/dev/rsd3c bs=1m count=1

is needed. but Why?

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Norman Golisz-3
On Mon Nov 25 2013 10:08, obsd, cgi wrote:
> according to:
> http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
>
> dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
>
> is needed. but Why?

since it's likely to contain garbage. If this area has been in use
before, there's a good chance it exposes "random" data, which could, and
most probably will, confuse fdisk. That's why you have to "wipe" the
area in advance.

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Luca Ferrari
In reply to this post by obsd, cgi
On Mon, Nov 25, 2013 at 10:08 AM, obsd, cgi <[hidden email]> wrote:
> according to:
> http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
>
> dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
>
> is needed. but Why?

Isn't already explained?
"the first megabyte of it should be zeroed, so tools like fdisk(8) or
disklabel(8)
don't get confused by the random data that appears on the new disk."

Luca

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Nick Holland
In reply to this post by obsd, cgi
On 11/25/13 04:07, obsd, cgi wrote:
> according to:
> http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
>
> dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
>
> is needed. but Why?
>

I've actually found it more useful to zero the raw RAID partition than
the "assembled" softraid "disk".  This takes care of the case where
previous softraid disks had been created, which can be quite frustrating
when they pop up again unexpectedly.

That's from experience...haven't been able to convince the softraid
developers, so I suspect there's something to *also* zeroing the
assembled disk.

It takes but a couple seconds to do.  Just do it.

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

obsd, cgi
Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
I would dd zero the psychical disk for the first.. dunno, 10 MBytes?


2013/11/25 Nick Holland <[hidden email]>

> On 11/25/13 04:07, obsd, cgi wrote:
> > according to:
> > http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl
> >
> > dd if=/dev/zero of=/dev/rsd3c bs=1m count=1
> >
> > is needed. but Why?
> >
>
> I've actually found it more useful to zero the raw RAID partition than
> the "assembled" softraid "disk".  This takes care of the case where
> previous softraid disks had been created, which can be quite frustrating
> when they pop up again unexpectedly.
>
> That's from experience...haven't been able to convince the softraid
> developers, so I suspect there's something to *also* zeroing the
> assembled disk.
>
> It takes but a couple seconds to do.  Just do it.
>
> Nick.

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Luca Ferrari
On Tue, Nov 26, 2013 at 9:49 AM, obsd, cgi <[hidden email]> wrote:
> Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
> I would dd zero the psychical disk for the first.. dunno, 10 MBytes?

I don't see how and why it should be easier. We are talking about a
single line dd command with a different target and count, isn't it?

Luca

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Nick Holland
On 11/26/13 04:29, Luca Ferrari wrote:
> On Tue, Nov 26, 2013 at 9:49 AM, obsd, cgi <[hidden email]> wrote:
>> Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
>> I would dd zero the psychical disk for the first.. dunno, 10 MBytes?
>
> I don't see how and why it should be easier. We are talking about a
> single line dd command with a different target and count, isn't it?
>
> Luca

not only that, zeroing the physical disk doesn't resolve the problem you
may run into.

People tend to be creatures of habit.  Given no reason to do otherwise,
people tend to do the same thing over and over.

So...today, you take a couple disks, zero the first 10MB, put a 1G boot
partition and make the rest RAID, then build a mirrored set, do your
testing, and call it done.

Tomorrow, you take the same disk, zero the first 10MB, put a 1GB boot
partition on it, and make the rest RAID, and intend to build a crypto
RAID partition on it.  Except...Poof! your RAID1 chunk is baaack!  Why?
 Because you didn't touch the softraid data which is 1GB up the disk.

Done this a few times. :-/

Just zero the RAID partition.
Then, especially in the case of crypto, zero the RAID disk, too.

(yeah, I just slightly changed my advice.  Thinking about it further,
fdisk and disklabel sometimes have got really confused by things that
don't look right.  I think things have been improving there, but I'm not
sure all edge cases have been fixed.  If you zero the RAID partition
BEFORE creating a RAID1, odds are what is there will look like a lot of
zeros.  Crypto...almost certainly it WON'T look like a lot of zeros, and
it might be useful to put it to a lot of zeros first.  So, zeroing the
partitions then zeroing the softraid "disk" is the safest and easiest.
Can you skip one?  Maybe.  If it fails, trust me, you will lose all the
time you think you saved, many times over)

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

Ted Unangst-6
In reply to this post by obsd, cgi
On Tue, Nov 26, 2013 at 09:49, obsd, cgi wrote:
> Wouldn't it be much easier that before I create the bioctl softraid CRYPTO
> I would dd zero the psychical disk for the first.. dunno, 10 MBytes?

Putting zeroes on the outside of an encrypted partition does not put
zeroes on the inside of the encrypted partition.

Reply | Threaded
Open this post in threaded view
|

Re: is zeroing CRYPT needed?

obsd, cgi
Thanks everyone, now I understand!

have a nice day! :) :)


2013/11/26 Ted Unangst <[hidden email]>

> On Tue, Nov 26, 2013 at 09:49, obsd, cgi wrote:
> > Wouldn't it be much easier that before I create the bioctl softraid
> CRYPTO
> > I would dd zero the psychical disk for the first.. dunno, 10 MBytes?
>
> Putting zeroes on the outside of an encrypted partition does not put
> zeroes on the inside of the encrypted partition.