From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 21:28:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E92016A4DA for ; Wed, 6 Sep 2006 21:28:27 +0000 (UTC) (envelope-from bvowk@math.ualberta.ca) Received: from 3jane.math.ualberta.ca (3jane.math.ualberta.ca [129.128.206.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB03743D67 for ; Wed, 6 Sep 2006 21:28:21 +0000 (GMT) (envelope-from bvowk@math.ualberta.ca) Received: from 3jane.math.ualberta.ca (localhost.math.ualberta.ca [127.0.0.1]) by 3jane.math.ualberta.ca (8.13.6/8.13.6) with ESMTP id k86LSKMB037619; Wed, 6 Sep 2006 15:28:20 -0600 (MDT) (envelope-from bvowk@math.ualberta.ca) Received: from localhost (bvowk@localhost) by 3jane.math.ualberta.ca (8.13.6/8.13.6/Submit) with ESMTP id k86LSKAG037616; Wed, 6 Sep 2006 15:28:20 -0600 (MDT) (envelope-from bvowk@math.ualberta.ca) X-Authentication-Warning: 3jane.math.ualberta.ca: bvowk owned process doing -bs Date: Wed, 6 Sep 2006 15:28:20 -0600 (MDT) From: Barkley Vowk To: Frank Steinborn In-Reply-To: <20060906210021.C2428B82C@shodan.nognu.de> Message-ID: <20060906151041.N37483@3jane.math.ualberta.ca> References: <20060906210021.C2428B82C@shodan.nognu.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 21:28:27 -0000 You are a complete madman. You want to protect your data with a key stored on the most completely and utterly unreliable form of data storage still lamentably in use? Its not the 1970's anymore, get a real data storage medium! Get a usb flash drive, from there its a simple matter of changing the geli script to mount a specific usb device before starting. Look in /etc/rc.d/geli and geli2. I'd put your mounting and checks between the kldstat and the "if [ -z" in the geli_start() sub. You'll want to then use "geli -K" to input your key material, so you'll want to make sure your device is present, and that it has the expected key filename on it. You could also use dd and dump the first n sectors to stdout and pipe that into your geli command. Seems like quite a waste if you don't intend to use a passphrase. On Wed, 6 Sep 2006, Frank Steinborn wrote: > Hello, > > i want to encrypt my HDD's with GELI (not the root-fs, though). I want > to do the encryption without password, just with a key. The key should > be stored in a floppy disk, and the read should be read automatically > on boot, from the floppy. > > There is a problem here, because GELI initializes _before_ mounting > the disks from /etc/fstab (for obvious reasons, of course). So GELI is > not able to get the keys from the floppy and fails. > > So, any hints how I could get the floppy mounted _before_ GELI tries > to initialize? > > Thanks in advance, > Frank > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >