Bug 235108

Summary: GELI leaves streaks of zeros for every encrypted sector; suggestion to randomize
Product: Base System Reporter: Arjan van der Velde <vandervelde.ag>
Component: kernAssignee: freebsd-geom (Nobody) <geom>
Status: New ---    
Severity: Affects Only Me CC: cem
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Arjan van der Velde 2019-01-21 14:03:17 UTC 
Hi!

Surprised by seeing streaks of zeros every 4k on my geli encrypted drive, I realized they are zero-padded sectors (i.e. the 9th sector underlying every encrypted 4K). I was wondering if it’d be a good idea to do this instead, in order to not give away sector start/end information in the case where metadata is destroyed:

[freebsd .../geom/eli]$ svn diff
Index: g_eli_integrity.c
===================================================================
--- g_eli_integrity.c	(revision 343023)
+++ g_eli_integrity.c	(working copy)
@@ -472,7 +472,7 @@
 			 * only partially filled.
 			 */
 			if (bp->bio_cmd == BIO_WRITE)
-				memset(data + sc->sc_alen + data_secsize, 0,
+				arc4random_buf(data + sc->sc_alen + data_secsize,
 				    encr_secsize - sc->sc_alen - data_secsize);
 		}

[freebsd .../geom/eli]$

Thanks!

— Arjan
Comment 1 Conrad Meyer freebsd_committer freebsd_triage 2019-01-21 16:32:00 UTC 
I'm having trouble imagining an attack that is aided by the end of sector zeroes.  Do you have something specific in mind?
Comment 2 Arjan van der Velde 2019-01-21 17:16:16 UTC 
(In reply to Conrad Meyer from comment #1)

plausible deniability of the existence of structured data on the provider. if all data on a drive is indistinguishable from random, one would be able to deny that there is data on the drive at all.
Comment 3 Conrad Meyer freebsd_committer freebsd_triage 2019-01-21 17:55:29 UTC 
I'm having trouble seeing that as plausible or any different from partially zeroed :-).  You could claim (with equal plausibility, IMO) that the alternating random / zeroes doesn't store any data; it's just silly and isn't going to be believed in the same way it won't if you make that claim with all random bytes.

You're familiar with https://xkcd.com/538/ ?
Comment 4 Arjan van der Velde 2019-01-22 16:15:10 UTC 
(In reply to Conrad Meyer from comment #3)

ok. well, regardless of opinions on what generally would actually happen when asked for a password by law enforcement, i think there is a case for making it harder to detect the presence of a geli provider so, i figured i put the idea out there.

-- Arjan
Comment 5 Daniel Ebdrup Jensen freebsd_committer freebsd_triage 2019-03-18 18:44:49 UTC 
Wasn't GEOM BDE designed to allow for plausible deniability, and even an attempt at defeating rubber-hose cryptography?