Re: geli or gbde encryption of slices
- From: "OxY" <oxy@xxxxxxxx>
- Date: Fri, 16 Dec 2005 20:27:45 +0100
i have a question about chosing geli or gbde.. which one is faster (read/write)? i use gbde, and it's quite slow.. may i create the .bde partition again with larger sector size? which size is optimal?
thanks!
On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote: +> Hello, +> +> I was playing around with geli an gbde after last EuroBSDCon. +> I liked the idea of encrypting my data which resides in /home/$user. +> Since this is a "single" user laptop i intended to encrypt the +> whole /home partition. Well no problems with that. But i wanted +> the lockfile or keyfile on a seperate usb disc. Which would be +> mounted or used during boot of the system. I also used gshsec on +> the usb disc to even make things more difficult. +> +> Well here is what i found. You can't use a none mounted disc for +> the keys, to take things further geli asks for the access passphrease +> before any filesystems except / is mounted. Gbde fails also because +> the system can't do interactivaly query for the passphrase.
Unfortunately we needed to make a choice here: allow to encrypt /usr/, etc. or allow for getting keys from more sources.
You can still do what you want, but not via rc.d/geli directly.
Geli(8) itself allows to use key from the raw device or anything else, rc.d/geli is the thing which is not such flexible. You may want to try adding some code to /etc/rc.local (which will take part of the key from passphrase, part from USB Pen Drive and part for gshsec(8) device):
(cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e
fsck_ffs -p /dev/ad0s1e.eli
mount /dev/ad0s1e.eli /mnt/secure
Assuming that /mnt/pendrive is already mounted (it should be if placed in /etc/fstab).
+> I wanted to use a 3 way authentication for the slice, encrypted fs, +> a usb key and passphrase. I can use geli without the usb key (keyfile). +> But that would render a possible bruteforce entry.
Even when you use passphrase only, geli(8) provides PKCS#5v2 to strength it. I'm using it with 131072 iterations, so it is 2^17 times harder to brute-force my passphrase and takes about 2-3 seconds to attach encrypted device on my laptop.
-- Pawel Jakub Dawidek http://www.wheel.pl pjd@xxxxxxxxxxx http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
----- Original Message ----- From: "Pawel Jakub Dawidek" <pjd@xxxxxxxxxxx>
To: "Robert Blacquiere" <freebsd-security@xxxxxxxxxxxxxxx>
Cc: "freebsd-security" <freebsd-security@xxxxxxxxxxx>
Sent: Friday, December 16, 2005 8:18 PM
Subject: Re: geli or gbde encryption of slices
_______________________________________________ freebsd-security@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: [fbsd] Re: geli or gbde encryption of slices
- From: Jeremie Le Hen
- Re: [fbsd] Re: geli or gbde encryption of slices
- References:
- geli or gbde encryption of slices
- From: Robert Blacquiere
- Re: geli or gbde encryption of slices
- From: Pawel Jakub Dawidek
- geli or gbde encryption of slices
- Prev by Date: Re: geli or gbde encryption of slices
- Next by Date: Brute Force Detection + Advanced Firewall Policy
- Previous by thread: Re: geli or gbde encryption of slices
- Next by thread: Re: [fbsd] Re: geli or gbde encryption of slices
- Index(es):
Relevant Pages
|
|
