
I lost my OpenBSD full-disk encryption password - oskarth
https://blog.filippo.io/so-i-lost-my-openbsd-fde-password/
======
0xmohit
Enlightenment always takes a while :)

    
    
      I later found a nice article documenting the entire system. It
      also includes references to JohnTheRipper having a module for
      this. Well, this was more fun.
    

\--

Wonder how many times are the same items posted:
[https://news.ycombinator.com/from?site=filippo.io](https://news.ycombinator.com/from?site=filippo.io)

~~~
f-
Off-topic, but my personal work sometimes ends up on the front page, and I'm
always amazed how much reposting there is on HN - probably more than on Reddit
and similar sites. Say, here's my stuff:

[https://news.ycombinator.com/from?site=lcamtuf.blogspot.com](https://news.ycombinator.com/from?site=lcamtuf.blogspot.com)

[https://news.ycombinator.com/from?site=coredump.cx](https://news.ycombinator.com/from?site=coredump.cx)

The process seems quite random; sometimes, the same link is submitted four
times and lingers at score 1, and then some random dude's fifth attempt goes
to #1. May be an interesting thing to graph (and get a #1 story on HN out of
=).

~~~
monksy
I wish that more personal projects were posted here on the site. It's a bit
tiresome to read about startups.

~~~
clarry
I suspect they just get lost in the noise. HN is pretty high volume, the front
page is short, and articles quickly fall down under if they don't manage to
get enough attention from the get-go.

Certainly these are more interesting for me than news about whatever the big
tech companies are doing right now.

------
camtarn
The previous article, about a lost password for a NAS, is hilarious and well
worth a read as well:

[https://blog.filippo.io/so-i-lost-the-password-of-my-
nas/](https://blog.filippo.io/so-i-lost-the-password-of-my-nas/)

~~~
bcook
He's lost _two_ VITAL passwords? This seems like a false premise then (which
is fine, but the fictional premise seems unneeded and disrespectful).

~~~
FiloSottile
Ehhmmmm. _stares at feet_

I wish I could tell you anything better than "in my defense, I seem to forget
only one vital password per year..."

(But seriously, I never risked data: the WD didn't have FDE, it was just a
matter of salvaging the hardware; the OpenBSD was still in the middle of a
migration and I had the source still accessible, so it was a matter of saving
time. And it's fun.)

~~~
vog
_> I seem to forget only one vital password per year_

For me, it helps to enter the passwords from time to time. The easiest way to
do this is to reboot.

If you have moral issues with rebooting a system where rebooting is not
necessary, maybe run just the password checker, e.g. by unlocking a second
volume that has the same password, or something.

~~~
clarry
I've recently gotten in the habit of writing passwords (or at least a part of
them) down in a notebook. There are just too many passwords to remember, some
of which I use very very rarely. I don't trust any password managers running
on a networked computer or (gasp) phone, so paper is good for me. Plus it's
more reliable.

------
moyix
Quick question for the more cryptographically inclined: apparently after
decryption the code does an HMAC validation:

    
    
        /* Check that the key decrypted properly. */
        sr_crypto_calculate_check_hmac_sha1(sd->mds.mdd_crypto.scr_maskkey,
    

Does this mean it's using Mac-Then-Encrypt? And if so, is it likely doomed
[1]?

[1] [https://moxie.org/blog/the-cryptographic-doom-
principle/](https://moxie.org/blog/the-cryptographic-doom-principle/)

~~~
JoachimSchipper
OpenBSD uses XTS, which is what you should do _for disk crypto_ (only). For
more background, see [http://sockpuppet.org/blog/2014/04/30/you-dont-want-
xts/](http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/).

~~~
koverstreet
Awesome article, thanks for posting.

This explains better than I could the whole point of doing encryption in
bcachefs:

[https://bcache.evilpiepirate.org/Encryption/](https://bcache.evilpiepirate.org/Encryption/)
[https://news.ycombinator.com/item?id=12410798](https://news.ycombinator.com/item?id=12410798)

------
Drdrdrq
If he wanted to know the value of the salt for his disk, wouldn't it be easier
if he just modified the sources so it would be printed it out?

~~~
FiloSottile
I... Actually didn't think of that, to be honest. But it would have involved
rebuilding the OpenBSD kernel, so it probably wasn't easier. Also, the tool
wouldn't have been reusable. But yeah, good thinking.

~~~
Drdrdrq
I am not familiar with OpenBSD, so it never occured to me one might have to
rebuild kernel for this... Anyway, nice write-up, glad you cracked it in the
end! :)

------
cperciva
_the rounds number 0x2000_

Does anyone know if this is the default? If I'm understanding this correctly,
it's around 10 ms of key derivation time; on FreeBSD we default to 2 s, which
should make cracking disk encryption 200x more expensive.

~~~
FiloSottile
That's the default. Easy to override--and I did after this--but admittedly
_ew_. Maybe we should email the OpenBSD list?

~~~
cperciva
Please do. I'm not sure exactly which list would be appropriate, and I don't
want to provoke a "FreeBSD guy coming in and trying to tell us what to do"
reaction anyway.

------
zakk
While reading I had the feeling that the author was reverse-engineering open
source software...

~~~
notaplumber
In essence, that's precisely what he's doing. The exact on-disk metadata
layout may not be documented anywhere, so he pieced it together using the
structure definitions in the source code.

For those reading along at home, what is being done here is a run-of-the-mill
bruteforce, this article could be about any FDE implementation.

So now the real question .. what was the password? :-)

~~~
Doctor_Fegg
hunter2

~~~
notaplumber
All I see is * * * * * * _

------
z3t4
When deciding to encrypt, lets say a backup, you need to ask yourself, is the
data better lost then in the hands of the wrong people.

~~~
userbinator
Indeed. Good data encryption is also far stronger than the things like locks
that people make analogies to in the real world. There is essentially no
locksmith. If you lose the key, your data is gone forever. As illustrated by
this article, if you have weak passphrases there are ways around it, so I
suppose it is possible to "tune" the strength of your encryption that way.

~~~
caf
I think the implication wasn't that the passphrase was weak, but that it was
mostly known.

------
SwellJoe
I briefly went all-in on security, cryptocurrency, tor, etc., and had a locked
down desktop machine encrypted with LUKS. Then, I moved, and it took me a few
weeks to get the computer set back up. In that time, I'd forgotten my
passphrase. So, I have a desktop machine containing (at least) a couple
hundred bucks worth of cryptocurrencies that I can't open. I still _think_ I
remember the passphrase I used, but it doesn't work, so I'm obviously missing
a word or a punctuation addition (I used the CorrectHorseBatteryStaple method
of making a memorable passphrase in this case).

I've been known to do dumb things, and going down the rabbit hole of
cryptocurrencies and how to securely use said currencies was one of them.
These days I put everything of importance into Google drive, Dropbox, and/or
git (not github...a privately hosted git that I access via ssh and runs on a
VM on hardware I own in a data center I trust). If it is sensitive, it is
encrypted with a passphrase I've been using for a couple decades, and so it
unlikely to be forgotten. A high capability attacker could thwart my
protections, I'm sure, but I don't have any reason to believe a high
capability attacker has any interest in me.

And, I don't hold much cryptocurrency, and what I do hold is at Coinbase, just
sitting there on the off chance Bitcoin really does take over the world and a
small amount turns into a big value.

~~~
wglb
_but I don 't have any reason to believe a high capability attacker has any
interest in me_

Note what George Smiley is known to reply: "There was _every_ reason":

Peter Guillam: Well, at the time there was no reason to suppose the phone was
tapped... George Smiley: There was every reason.

(from
[http://www.imdb.com/character/ch0030043/quotes](http://www.imdb.com/character/ch0030043/quotes)
as well as the book)

------
_ph_
So, for the layman, does this mean, the encryption can be practically cracked
or not?

~~~
Tuna-Fish
If you almost know the right passphrase, it can be. If you don't, and the
passphrase is good, it can't.

~~~
_ph_
Thats, that is reassuring :). Would have been a good addition to that article.
Of course, if you are lacking just a few letters in the password, brute
forcing gets much more applicable.

------
ams6110
Hm, if it were me and I had just set up the new system and then promptly
forgot the password, I'd just reinstall.

------
EGreg
Why not have your passwords be hashes of passphrases?

~~~
rwallace
Because that would add little entropy at the cost of much inconvenience, which
is the opposite of what you want.

------
AWildDHHAppears
That's why I keep them written down in my safe!

~~~
yuja_wang
I do that too! I have the same "suffix" that's on all of them that I leave off
the written version for a tiny bit of extra security. It's just a few
characters that I've been using consistently for years on written-down
passwords.

------
imaginenore
That's why you always

1) store passwords in the password manager, even the ones you think aren't
important.

2) backup your data

~~~
koolba
> 1) store passwords in the password manager, even the ones you think aren't
> important.

Losing the password that unlocks full disk encryption (FDE) is like losing the
password that unlocks your password manager. At some point you have to have
something stored only in your mind.

Now sure you could have your FDE password stored in a password manager as well
but that's probably not a good idea. Also, compared to just about everything
else saved in a password manager, you'd have to manually type the FDE password
at boot. You can't copy/paste it as if anything your password manager would be
running on a different computer.

~~~
TillE
> stored only in your mind

A sticky note at home is reasonably safe, unless you're legitimately worried
that a dedicated person may target you specifically.

~~~
bigiain
I have portions of my password safe passphrase stored with certain friends. If
I get hit by a bus, those friends will almost certainly work out who each
other are and what to do with the snippets they have. (And I "mind" several
snippets of passphrase for some of them as well).

Not "nation state" secure, but I'm reasonable sure it's well beyond petty
thief, curious cow-orker, 4chan/anonymous, or local LEO's capability to
subvert.

