Date: Sun, 11 Dec 2005 13:33:46 +0100 From: Robert Blacquiere <freebsd-security@guldan.demon.nl> To: freebsd-security <freebsd-security@freebsd.org> Subject: geli or gbde encryption of slices Message-ID: <20051211123346.GK98018@bombur.guldan.demon.nl>
next in thread | raw e-mail | index | archive | help
Hello, I was playing around with geli an gbde after last EuroBSDCon. I liked the idea of encrypting my data which resides in /home/$user. Since this is a "single" user laptop i intended to encrypt the whole /home partition. Well no problems with that. But i wanted the lockfile or keyfile on a seperate usb disc. Which would be mounted or used during boot of the system. I also used gshsec on the usb disc to even make things more difficult. Well here is what i found. You can't use a none mounted disc for the keys, to take things further geli asks for the access passphrease before any filesystems except / is mounted. Gbde fails also because the system can't do interactivaly query for the passphrase. I wanted to use a 3 way authentication for the slice, encrypted fs, a usb key and passphrase. I can use geli without the usb key (keyfile). But that would render a possible bruteforce entry. Is there a way to have something similar like this working? I even thought of using something like vendor, product and serial ids for the "keyfile" which could be used with any usbdevice on the usb bus. Have any of you thought about these things and have a way to do this sort of thing (keyfile on usbdrive). Robert -- Microsoft: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? OpenBSD: Hey guys you left some holes out there!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051211123346.GK98018>