d83db3fb6a
You should not be using DES. You should not have been using DES for the
past 30 years.
The ed DES-CBC scheme lacked several desirable properties of a sealed
document system, even ignoring DES itself. In particular, it did not
provide the "integrity" cryptographic property (detection of tampering), and
it treated ASCII passwords as 64-bit keys (instead of using a KDF like
scrypt or PBKDF2).
Some general approaches ed(1) users might consider to replace the removed
DES mode:
1. Full disk encryption with something like AES-XTS. This is easy to
conceptualize, design, and implement, and it provides confidentiality for
data at rest. Like CBC, it lacks tampering protection. Examples include
GELI, LUKS, FileVault2.
2. Encrypted overlay ("stackable") filesystems (EncFS, PEFS?, CryptoFS,
others).
3. Native encryption at the filesystem layer. Ext4/F2FS, ZFS, APFS, and
NTFS all have some flavor of this.
4. Storing your files unencrypted. It's not like DES was doing you much
good.
If you have DES-CBC scrambled files produced by ed(1) prior to this change,
you may decrypt them with:
openssl des-cbc -d -iv 0 -K <key in hex> -in <inputfile> -out <plaintext>
Reviewed by: allanjude, bapt, emaste
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D17829
|
||
|---|---|---|
| .. | ||
| boot | ||
| bsdbox | ||
| build | ||
| bus_space | ||
| debugscripts | ||
| diag | ||
| ifnet | ||
| kerneldoc | ||
| KSE | ||
| LibraryReport | ||
| regression | ||
| sched | ||
| test | ||
| tools | ||
| install.sh | ||
| make_libdeps.sh | ||
| README | ||
| tinder.sh | ||
$FreeBSD$ This directory tree contains tools used for the maintenance and testing of FreeBSD. There is no toplevel Makefile structure since these tools are not meant to be built as part of the standard system, though there may be individual Makefiles in some of the subdirs. Please read the README files in the subdirs for further information.