PSA: Yes, 64-byte key file is OK

Michał ‘mina86’ Nazarewicz | 4 kwietnia 2017

In an earlier entry I’ve changed generated key file used for disk encryption from 4096 to meagre 64 bytes. I gave no mention of that adjustment considering it unimportant but have since been enquired about security of such a short password.

Rest assured, a 64-byte key file is sufficient for any symmetric encryption (disk encryption being one example) and anything more does not improve security.

Czytaj dalej »

Go: string↔[]byte

Michał ‘mina86’ Nazarewicz | 28 lutego 2017

Yes… I’ve started coding in Go recently. It lacks many things but the one feature relevant to this post is const keyword. Arrays and slices in particular are always mutable and so equivalent of C’s const char * does not exist.

On the other hand, strings are immutable which means that conversion between a string and []byte requires memory allocation and copying of the data¹. Often this might be acceptable but to squeeze every last cycle the following two functions might help achieve zero-copy implementation:

func String(bytes []byte) string {
	hdr := *(*reflect.SliceHeader)(unsafe.Pointer(&bytes))
	return *(*string)(unsafe.Pointer(&reflect.StringHeader{
		Data: hdr.Data,
		Len:  hdr.Len,
	}))
}

func Bytes(str string) []byte {
	hdr := *(*reflect.StringHeader)(unsafe.Pointer(&str))
	return *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
		Data: hdr.Data,
		Len:  hdr.Len,
		Cap:  hdr.Len,
	}))
}

Depending on the length of the strings, the difference in performance might be noticeable:

Czytaj dalej »

PSA: Creating world-unreadable files

Michał ‘mina86’ Nazarewicz | 5 lutego 2017

I’ve been reading tutorials on using key files for disk encryption. Common approach for creating such a file is:

Step 1: Create a random key file

head -c 4096 /dev/urandom >keyfile

Step 2: Make the file readable by owner only

chmod 400 keyfile

*sighs* Please, stop doing this and spreading that method. The correct way of achieving the effect is:

Step 1: Create a random key file readable by owner only

(umask 077; head -c 64 /dev/random >keyfile)

Or if the file needs to be created as root while command is run by a different user:

Step 1: Create a random key file readable by root only

sudo sh -c 'umask 077; head -c 64 /dev/random >keyfile'

The first method creates the file as world-readable¹ and before its permission are changed anyone can read it. The second method creates the file as readable only by its owner from the very beginning thus preventing the secret disclosure.

Czytaj dalej »