geli or gbde encryption of slices

From: Robert Blacquiere <freebsd-security@xxxxxxxxxxxxxxx>
Date: Sun, 11 Dec 2005 13:33:46 +0100

Hello,

I was playing around with geli an gbde after last EuroBSDCon.
I liked the idea of encrypting my data which resides in /home/$user.
Since this is a "single" user laptop i intended to encrypt the
whole /home partition. Well no problems with that. But i wanted
the lockfile or keyfile on a seperate usb disc. Which would be
mounted or used during boot of the system. I also used gshsec on
the usb disc to even make things more difficult.

Well here is what i found. You can't use a none mounted disc for
the keys, to take things further geli asks for the access passphrease
before any filesystems except / is mounted. Gbde fails also because
the system can't do interactivaly query for the passphrase.

I wanted to use a 3 way authentication for the slice, encrypted fs,
a usb key and passphrase. I can use geli without the usb key (keyfile).
But that would render a possible bruteforce entry.

Is there a way to have something similar like this working? I even
thought of using something like vendor, product and serial ids for
the "keyfile" which could be used with any usbdevice on the usb bus.

Have any of you thought about these things and have a way to do
this sort of thing (keyfile on usbdrive).

Robert

--
Microsoft: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Are you guys coming or what?
OpenBSD: Hey guys you left some holes out there!
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: geli or gbde encryption of slices
  - From: Pawel Jakub Dawidek

Prev by Date: OpenSSL tools are not installed
Next by Date: RE: OpenSSL tools are not installed
Previous by thread: OpenSSL tools are not installed
Next by thread: Re: geli or gbde encryption of slices
Index(es):
- Date
- Thread

Relevant Pages

Re: Protecting sensitive files on a Windows file server
... The files will be encrypted on your file server but since the employee will have a key that is able to decrypt the files, he/she can then do whatever he wants with the file (e.g. copy to USB drive, burn to CD, etc.). ... If a user copies an encrypted file from the encrypted folder to a non-encrypted folder, the file will be saved unencrypted. ... I forgot to mention in my previous e-mail not to forget about encrypting the communication between the client's workstation and the file server using, for example, IPSec communications. ... Group Policies can disable USB drives, you can remove CD-R/RW drives, disable all attachments on your mail server, etc. ...
(Security-Basics)
Re: geli or gbde encryption of slices
... +> I was playing around with geli an gbde after last EuroBSDCon. ... +> the usb disc to even make things more difficult. ... +> the system can't do interactivaly query for the passphrase. ...
(FreeBSD-Security)
Securing a USB stick
... people losing unencrypted USB sticks with sensitive information, ... good job of encrypting files on them. ... the encryption program has to be already installed on every computer ... single directory, making the extraction of a single file a pain. ...
(alt.computer.security)
Re: Securing a USB stick
... Stephen Poley wrote: ... people losing unencrypted USB sticks with sensitive information, ... good job of encrypting files on them. ... single directory, making the extraction of a single file a pain. ...
(alt.computer.security)
Re: geli or gbde encryption of slices
... i have a question about chosing geli or gbde.. ... +> I was playing around with geli an gbde after last EuroBSDCon. ... I also used gshsec on +> the usb disc to even make things more difficult. ... +> a usb key and passphrase. ...
(FreeBSD-Security)