Bug 235108 - GELI leaves streaks of zeros for every encrypted sector; suggestion to randomize
Summary: GELI leaves streaks of zeros for every encrypted sector; suggestion to randomize
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-geom mailing list
Depends on:
Reported: 2019-01-21 14:03 UTC by Arjan van der Velde
Modified: 2019-03-18 18:44 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Arjan van der Velde 2019-01-21 14:03:17 UTC

Surprised by seeing streaks of zeros every 4k on my geli encrypted drive, I realized they are zero-padded sectors (i.e. the 9th sector underlying every encrypted 4K). I was wondering if it’d be a good idea to do this instead, in order to not give away sector start/end information in the case where metadata is destroyed:

[freebsd .../geom/eli]$ svn diff
Index: g_eli_integrity.c
--- g_eli_integrity.c	(revision 343023)
+++ g_eli_integrity.c	(working copy)
@@ -472,7 +472,7 @@
 			 * only partially filled.
 			if (bp->bio_cmd == BIO_WRITE)
-				memset(data + sc->sc_alen + data_secsize, 0,
+				arc4random_buf(data + sc->sc_alen + data_secsize,
 				    encr_secsize - sc->sc_alen - data_secsize);

[freebsd .../geom/eli]$


— Arjan
Comment 1 Conrad Meyer freebsd_committer 2019-01-21 16:32:00 UTC
I'm having trouble imagining an attack that is aided by the end of sector zeroes.  Do you have something specific in mind?
Comment 2 Arjan van der Velde 2019-01-21 17:16:16 UTC
(In reply to Conrad Meyer from comment #1)

plausible deniability of the existence of structured data on the provider. if all data on a drive is indistinguishable from random, one would be able to deny that there is data on the drive at all.
Comment 3 Conrad Meyer freebsd_committer 2019-01-21 17:55:29 UTC
I'm having trouble seeing that as plausible or any different from partially zeroed :-).  You could claim (with equal plausibility, IMO) that the alternating random / zeroes doesn't store any data; it's just silly and isn't going to be believed in the same way it won't if you make that claim with all random bytes.

You're familiar with https://xkcd.com/538/ ?
Comment 4 Arjan van der Velde 2019-01-22 16:15:10 UTC
(In reply to Conrad Meyer from comment #3)

ok. well, regardless of opinions on what generally would actually happen when asked for a password by law enforcement, i think there is a case for making it harder to detect the presence of a geli provider so, i figured i put the idea out there.

-- Arjan
Comment 5 D. Ebdrup 2019-03-18 18:44:49 UTC
Wasn't GEOM BDE designed to allow for plausible deniability, and even an attempt at defeating rubber-hose cryptography?