On Fri 26 Jun 2020 at 15:06:31 (-0700), David Christensen wrote: > On 2020-06-26 06:07, David Wright wrote: > > On Fri 19 Jun 2020 at 14:52:11 (-0700), David Christensen wrote: > > > > Benchmark is one thing. But, from a security viewpoint, writing zeros > > > to an encrypted volume amounts to providing blocks of plaintext for > > > corresponding blocks of cyphertext, thereby facilitating > > > cryptanalysis. > > > > So in view of the unlikelihood of badblocks actually logging something > > more useful than SMART (where available) or normal disk write errors, > > perhaps a compromise (for my use case) is to just write /dev/urandom > > rather than /dev/zero. > > Copying random data to a partition while creating an encrypted > filesystem provides a high-entropy backdrop to conceal ciphertext > blocks. This is a form of steganography. The Debian Installer manual > partitioning page has an option to do this.
I presume you meet this option when you select "Configure encrypted volumes", something that I've never done. Because currently I only encrypt /home and swap, I set these up after installation, if they're not already there. I must admit that I prefer to partition disks and set up encryption outside the d-i, usually capturing the process with script. > As the storage is used, the initial random blocks will be overwritten > by ciphertext blocks. Depending upon filesystem, encryption, volume > management, and/or device details, the steganography degrades and may > eventually disappear. > > Copying random data to storage will add fresh nearly-random blocks on > the device, improving the steganography. (The canonical example is to > copy /dev/urandom to a file until the filesystem fills up, and then > delete the file. But, this takes time and adds wear to the device.) Yes, SSD caveat taken on board. > > On this slow machine with an oldish PATA disk, > > I can get about 75% speed from urandom, 15MB/s vs 20MB/s on a 29GiB > > partition (no encryption). There's a noticeable slowdown because, > > I presume, the machine runs a bit short of entropy after a while. > > I think you are noticing a slowdown when the Linux write buffer fills. I'm not sure where these write buffers might be hiding: the 2000-vintage PC has 512MB memory, and the same size swap partition, though the latter is on a disk constructed one month earlier than the target disk (Feb/Mar 2008). The target disk has 8MB of cache. With a leisurely determination of dd's PID, my first USR1 poke occurred no earlier than after 4GB of copying, over three minutes in. Cheers, David.
