From owner-freebsd-security@FreeBSD.ORG Sun Dec 11 12:33:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0BFE16A41F for ; Sun, 11 Dec 2005 12:33:52 +0000 (GMT) (envelope-from robert@guldan.demon.nl) Received: from post-25.mail.nl.demon.net (post-25.mail.nl.demon.net [194.159.73.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id E986C43D66 for ; Sun, 11 Dec 2005 12:33:51 +0000 (GMT) (envelope-from robert@guldan.demon.nl) Received: from guldan-dsl.demon.nl ([83.160.7.100]:50032) by post-25.mail.nl.demon.net with esmtp (Exim 4.51) id 1ElQOk-000C4K-Hm for freebsd-security@freebsd.org; Sun, 11 Dec 2005 12:33:50 +0000 Received: from bombur.guldan.demon.nl ([192.168.201.3] helo=localhost) by guldan-dsl.demon.nl with esmtp (Exim 4.24; FreeBSD) id 1ElQOg-000AVV-Rs for freebsd-security@freebsd.org; Sun, 11 Dec 2005 13:33:46 +0100 Date: Sun, 11 Dec 2005 13:33:46 +0100 From: Robert Blacquiere To: freebsd-security Message-ID: <20051211123346.GK98018@bombur.guldan.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Spam-Score: 0.0 (/) Subject: geli or gbde encryption of slices X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 12:33:52 -0000 Hello, I was playing around with geli an gbde after last EuroBSDCon. I liked the idea of encrypting my data which resides in /home/$user. Since this is a "single" user laptop i intended to encrypt the whole /home partition. Well no problems with that. But i wanted the lockfile or keyfile on a seperate usb disc. Which would be mounted or used during boot of the system. I also used gshsec on the usb disc to even make things more difficult. Well here is what i found. You can't use a none mounted disc for the keys, to take things further geli asks for the access passphrease before any filesystems except / is mounted. Gbde fails also because the system can't do interactivaly query for the passphrase. I wanted to use a 3 way authentication for the slice, encrypted fs, a usb key and passphrase. I can use geli without the usb key (keyfile). But that would render a possible bruteforce entry. Is there a way to have something similar like this working? I even thought of using something like vendor, product and serial ids for the "keyfile" which could be used with any usbdevice on the usb bus. Have any of you thought about these things and have a way to do this sort of thing (keyfile on usbdrive). Robert -- Microsoft: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? OpenBSD: Hey guys you left some holes out there!