Content deleted Content added
→Other features: OpenBSD is secure by default, to not waste users' time and to require conscious decisions to reduce security. |
Moved the paragraph about full disk encryption to under the cryptography heading. |
||
Line 26:
== Cryptography and randomization ==
One of the goals of the OpenBSD project is the integration of facilities and software for [[strong cryptography]] into the core operating system. To this end, a number of low-level features are provided, including a source of strong [[pseudorandom number generator|pseudo random numbers]];<ref>{{cite conference |url= https://www.usenix.org/legacy/publications/library/proceedings/usenix99/deraadt.html |title = Cryptography in OpenBSD: An Overview |first1= Theo |last1= de Raadt |author-link1= Theo de Raadt |first2= Niklas |last2= Hallqvist |first3= Artur |last3= Grabowski |first4= Angelos D. |last4= Keromytis |first5= Niels |last5= Provos |author-link5= Niels Provos|date= June 6, 1999 |conference= [[USENIX]] Annual Technical Conference |___location= Monterey, California |access-date= January 30, 2005}}</ref> built-in [[cryptographic hash functions]] and transforms; and support for cryptographic hardware ([[OpenBSD Cryptographic Framework]]). These abilities are used throughout OpenBSD, including the [[bcrypt]] password-hashing algorithm<ref>{{cite conference |url=https://www.usenix.org/legacy/events/usenix99/provos.html |title=A Future-Adaptable Password Scheme |last1=Provos |first1=Niels |author-link1=Niels Provos |last2=Mazières |first2=David |date=June 6, 1999 |___location=Monterey, California |conference=[[USENIX]] Annual Technical Conference |access-date=May 26, 2016}}</ref> derived from [[Bruce Schneier]]'s [[Blowfish (cipher)|Blowfish]] [[block cipher]], which takes advantage of the CPU-intensive Blowfish [[key schedule]], making [[brute-force attacks]] less practical.
In OpenBSD 5.3, support for [[full disk encryption]] was introduced,<ref>{{cite web|title=OpenBSD 5.3|url=http://www.openbsd.org/53.html|website=OpenBSD|access-date=May 26, 2016}}</ref> but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual intervention anymore.<ref>{{cite web |title=OpenBSD 7.3 |url=https://www.openbsd.org/73.html |website=www.openbsd.org |access-date=19 April 2023}}</ref><ref>{{cite web |title=Initial support for guided disk encryption in the installer |url=https://undeadly.org/cgi?action=article;sid=20230308063109 |website=undeadly.org |access-date=19 April 2023}}</ref>▼
To protect sensitive information such as [[password]]s from leaking on to disk, where they can persist for many years, OpenBSD supports encryption of the swap partition. The swap space is split up into many small regions that are each assigned their own encryption key: as soon as the data in a region is no longer required, OpenBSD securely deletes it by discarding the encryption key.<ref>{{cite conference |url=https://www.usenix.org/legacy/publications/library/proceedings/sec2000/provos.html |title=Encrypting Virtual Memory |last1=Provos |first1=Niels |author-link1=Niels Provos |date=August 14, 2000 |___location=Denver, Colorado |conference=9th [[USENIX]] Security Symposium |access-date=April 9, 2006 }}</ref> This feature is enabled by default in OpenBSD 3.8 and later.
Line 48 ⟶ 50:
OpenBSD is intended to be secure by default, which includes (but is not limited to) having all non-essential services be disabled by default. This is done not only to not require users to learn how and waste time to secure their computers after installing OpenBSD, but also in hope of making users more aware of security considerations, by requiring them to make conscious decisions to enable features that could reduce their security. <ref>{{cite web |title=OpenBSD: Security — "Secure by Default" |url=https://www.openbsd.org/security.html#default |website=www.openbsd.org |access-date=27 September 2023}}</ref>
▲In OpenBSD 5.3, support for [[full disk encryption]] was introduced,<ref>{{cite web|title=OpenBSD 5.3|url=http://www.openbsd.org/53.html|website=OpenBSD|access-date=May 26, 2016}}</ref> but enabling it during the installation of OpenBSD had required manual intervention from the user by exiting the installer and entering some commands. Starting from OpenBSD 7.3, the installer supports enabling full disk encryption using a guided procedure, not requiring manual intervention anymore.<ref>{{cite web |title=OpenBSD 7.3 |url=https://www.openbsd.org/73.html |website=www.openbsd.org |access-date=19 April 2023}}</ref><ref>{{cite web |title=Initial support for guided disk encryption in the installer |url=https://undeadly.org/cgi?action=article;sid=20230308063109 |website=undeadly.org |access-date=19 April 2023}}</ref>
OpenBSD 5.9 included support for the then–new <code>pledge</code> [[system call]] (introduced in OpenBSD 5.8 as <code>tame</code> and renamed in 5.9 to <code>pledge</code>) for restricting process capabilities to a minimal subset required for correct operation.<ref>{{cite web|title=pledge() - a new mitigation mechanism|url=https://www.openbsd.org/papers/hackfest2015-pledge|website=OpenBSD|access-date=May 19, 2018}}</ref> If the process is compromised and attempts to perform an unintended behavior, it will be terminated by the kernel. OpenBSD 6.4 introduced the <code>unveil</code> [[system call]] for restricting [[filesystem]] visibility to a minimum level.<ref>{{cite web|title=unveil — unveil parts of a restricted filesystem view|url=https://man.openbsd.org/unveil|website=OpenBSD manual pages|access-date=2020-05-15}}</ref> <code>pledge</code> and <code>unveil</code> are used together to confine applications, further limiting what they're otherwise permitted to do under the user account they're running as. Since the introduction of <code>pledge</code>, base OpenBSD programs (included [[Out of the box (feature)|out of the box]] in OpenBSD), applications (handled by their developers), and ports (of applications, handled by the OpenBSD team) have been updated to be confined with <code>pledge</code> and/or <code>unveil</code>. Some examples of third-party applications updated with these features (by their developers or in OpenBSD's app ports) include the [[Chromium (web browser)|Chromium]] and [[Firefox]] [[web browser]]s.
| |||