Date: Fri, 10 Oct 2014 17:58:42 -0400 From: "Michael W. Lucas" <mwlucas@michaelwlucas.com> To: hackers@freebsd.org Subject: GBDE not protecting the user Message-ID: <20141010215842.GA6717@mail.michaelwlucas.com>
next in thread | raw e-mail | index | archive | help
[Tried questions@, no answer, and the code contains things I just cannot trigger.] Hi, Been playing with GBDE a while, trying to make it protect me. One of the features of GBDE is that it should "provide tangible feedback" that the data has been destroyed. (See PHK's paper at http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf, section 4.1.) The man page doesn't mention how to make GBDE whine, so what the heck, let's make it tell me the keys are destroyed. Creating GBDE devices is very simple. # gbde init /dev/gpt/encrypted -L /etc/encrypted.lock I created a filesystem, mounted it, put files on it, unmounted. There's two operations to wipe out a GBDE: nuke and destroy. Nuke looks like the right thing. I nuke all the keys: # gbde nuke gpt/encrypted -l /etc/encrypted.lock -n -1 Enter passphrase: Opened with key 0 Nuked key 0 Nuked key 1 Nuked key 2 Nuked key 3 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The .bde device isn't there, and my filesystem is gone. But I received no confirmation that the keys were destroyed. I also didn't get a message that the device couldn't be attached, although it clearly isn't. Fine. Let's try 'gbde destroy'. # gbde init /dev/gpt/encrypted -L /etc/encrypted.lock Enter new passphrase: Reenter new passphrase: # gbde destroy gpt/encrypted -l /etc/encrypted.lock Enter passphrase: Opened with key 0 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The device isn't attached, it just fails silently. And failing with a specific complaint is the whole point of GBDE. Did I misunderstand the GBDE functionality? Am I missing something daft? Has this code just decayed with GELI's arrival? Thanks, ==ml -- Michael W. Lucas - mwlucas@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141010215842.GA6717>