Disk encryption

There aren’t many details about the encryption mechanism used by OpenBSD for full-disk encryption in its documentation.

Fortunately, Thiébaud Weksteen wrote a comprehensive article on the topic in 2015.

tl;dr The passphrase goes through iterations of PBKDF2, to decrypt keys stored on the disk, encrypted with AES-ECB-256, to then decrypt the disk, encrypted with AES-XTS-256 Validation of the passphrase is done by taking the SHA1 of the PBKDF2 derivations, taking the HMAC of the decrypted keys, and comparing it against a value stored in clear-text on the disk.

As mentioned in the blogpost, the current implementation only use one key, instead of 32 different ones, each for a different portion of the disk. The number of rounds for the derivation is apparently computed so that it takes around one second to compute them.

The default number of rounds for the PBKDF2 derivation was 0x2000 in 2016, but it seems that there is some benchmarking being done inplace so that the derivation takes around one second.

In March 2023, disk encryption support was added by Klemens Nanni to the installer. Previously, it ad to be done manually by dropping into a shell during the installation process.

This is looking like a solid design, pretty similar to what LUKS is doing.

Unfortunately, it doesn’t support using a TPM or an enclave (like Intel’s SGX, AMD’s SEV, …) to perform key-derivation and prevent offline bruteforcing.