Disk encryption

There aren’t many details about the encryption mechanism used by OpenBSD for full-disk encryption in its documentation.

Fortunately, Thiébaud Weksteen wrote a comprehensive article on the topic in 2015.

tl;dr The passphrase goes through iterations of PBKDF2, to decrypt keys stored on the disk, encrypted with AES-ECB-256, to then decrypt the disk, encrypted with AES-XTS-128. Validation of the passphrase is done by taking the SHA1 of the PBKDF2 derivations, taking the HMAC of the decrypted keys, and comparing it against a value stored in clear-text on the disk.

As mentioned in the blogpost, the current implementation only use one key, instead of 32 different ones, each for a different portion of the disk. The number of rounds for the derivation is apparently computed so that it takes around one second to compute them.

This is looking like a solid design, pretty similar to what LUKS is doing.

Unfortunately, it doesn’t support using a TPM or an enclave (like Intel’s SGX, AMD’s SEV, …) to perform key-derivation and prevent offline bruteforcing.