# FreeBSD encryption



## Zohaib Online (Apr 9, 2017)

Does FreeBSD 11 Encryption during the installation process is strong enough match the OpenBSD Encryption for International users not US users or are there any different version for International users for legal purpose.


----------



## Oko (Apr 10, 2017)

Zohaib Online said:


> Does FreeBSD 11 Encryption during the installation process is strong enough match the OpenBSD Encryption for International users not US users or are there any different version for International users for legal purpose.


FreeBSD(DragonFly) and NetBSD being located in the U.S. are subject to U.S. export encryption restrictions/laws/regulations. That is one of the principal reasons OpenBSD is located in Canada which has no similar export restriction laws when it comes to cryptography.  Typically once OpenBSD code is put on one of U.S. mirrors it should not be taken out of the country unless you want to deal with authorities. Historically NetBSD and FreeBSD used to be shipped stripped down versions for non-U.S. users. That is also one of the reasons you have MIT and Heimdal (Sweden) implementation of Kerberos protocol.

If you care for encryption and privacy of any kind make sure your project/code is not located on U.S. soil. Canada, Switzerland, Island, and Sweden come as a good candidates for such projects.


----------



## Zohaib Online (Apr 10, 2017)

I know there was a restriction previously that is why DES was dropped for international users in favor of MD5. I would like to know the current status of FreeBSD cryptography for everyone. 

Thank You


----------



## usdmatt (Apr 10, 2017)

> FreeBSD(DragonFly) and NetBSD being located in the U.S. are subject to U.S. export encryption restrictions/laws/regulations. That is one of the principal reasons OpenBSD is located in Canada which has no similar export restriction laws when it comes to cryptography.



Does that have any bearing on the strength of encryption in FreeBSD, or any other US based OS, today though? All operating systems ship with high grade encryption software these days, including Windows & macOS that are heavily US based. iOS devices encrypt everything with a hardware locked key by default even without enabling it.

As far as I'm aware there are no different versions of FreeBSD for US/International use. The GELI system in FreeBSD for example uses a 256 bit user key and 1024 bit master key. OpenSSL is also bundled which is used globally in highly security-sensitive places.

Unfortunately I'm not a security expert so I can't say "yes, FreeBSD has encryption as strong as OpenBSD" but I suspect they have very similar support of encryption features/algorithms. (Ignoring any possible flaws or bugs in implementation of course).


----------



## Zohaib Online (Apr 10, 2017)

Hmm. Looks logical to me


----------



## aht0 (Apr 20, 2017)

usdmatt said:


> Does that have any bearing on the strength of encryption in FreeBSD, or any other US based OS, today though? All operating systems ship with high grade encryption software these days, including Windows & macOS that are heavily US based. iOS devices encrypt everything with a hardware locked key by default even without enabling it.


AFAIK Microsoft is getting around the issue by having Windows compiled in Ireland, not in the U.S. Correct me if I am wrong. 
Fascinating topic!


----------



## getopt (Apr 20, 2017)

Oko said:


> Kerbers


Oko, Кербер are a legacy rock band from  Niš. 

You may want to edit s/Kerbers/Kerberos/ in your valuable post so that origin Sweden becomes true.


----------



## SirDice (Apr 20, 2017)

Zohaib Online said:


> I know there was a restriction previously that is why DES was dropped for international users in favor of MD5.


That doesn't add up. DES is an encryption scheme, MD5 is a hash. You're probably referring to the 128 bit vs. 40 bit restriction of 3DES for SSL.


----------



## Oko (Apr 20, 2017)

getopt said:


> Oko, Кербер are a legacy rock band from  Niš.
> 
> You may want to edit s/Kerbers/Kerberos/ in your valuable post so that origin Sweden becomes true.



One would think that the person whose late mother was born and is buried at the local cemetery in the city of  Niš should know that. Don't you think so?

Cheers,
Oko

P.S. I fixed the post and I am listening  Сеобе by Кербер thinking of my mother right now.


----------



## Zohaib Online (Apr 24, 2017)

SirDice said:


> That doesn't add up. DES is an encryption scheme, MD5 is a hash. You're probably referring to the 128 bit vs. 40 bit restriction of 3DES for SSL.


Yes that was on my mind.


----------



## Deleted member 9563 (Apr 25, 2017)

gpatrick said:


> Because of the strong encryption, I believe that non-US users are not to download from US-based sites due to export restrictions, and doing so can get the maintainers of the site in legal trouble.



I guess for all intents and purposes I'm a US user since I use a VPN there.  Not that I care, but if it keeps the maintainers out of trouble it's a good thing.


----------

