From owner-freebsd-security@FreeBSD.ORG  Sun Jun 22 19:41:36 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 810BA106567A
	for <freebsd-security@freebsd.org>;
	Sun, 22 Jun 2008 19:41:36 +0000 (UTC)
	(envelope-from temp0607@mail.securge.net)
Received: from v027580.home.net.pl (v027580.home.net.pl [89.161.156.148])
	by mx1.freebsd.org (Postfix) with SMTP id 74BCB8FC24
	for <freebsd-security@freebsd.org>;
	Sun, 22 Jun 2008 19:41:34 +0000 (UTC)
	(envelope-from temp0607@mail.securge.net)
Received: from localhost (HELO ?172.16.0.101?)
	(temp0607.freeside@home@127.0.0.1)
	by m094.home.net.pl with SMTP; Sun, 22 Jun 2008 19:14:59 -0000
Message-ID: <485EA493.1050601@mail.securge.net>
Date: Sun, 22 Jun 2008 20:14:27 +0100
From: michupitka <temp0607@mail.securge.net>
User-Agent: Thunderbird 2.0.0.14 (X11/20080608)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: disk label and geli encrypted slice
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jun 2008 19:41:36 -0000

Hello,

I'm using geli on laptop PC with only one HDD. Disk is divided into two 
slices, ad0s1 and ad0s2. Second slice (ad0s2) is encrypted with GEOM ELI 
using two-factor authentication - passphrase plus keyfile on USB drive. 
FreeBSD is installed on ad0s2.eli and first slice is not used by this 
system so let's say that I've got a full disk encryption.

Now my question - is it safe to keep backup of encrypted disk's label 
(dump of bsdlabel /dev/ad0s2.eli) on the same USB drive with keyfile?
Information about partitions itself is not important for me, I don't 
feel like I have to keep it secret, but is it any advantage to attacker 
if she get her hands not only on keyfile but also on unencrypted BSD 
label and then gain access to still encrypted media?

I'm deliberately omitting the fact that in this scenario attacker has 
access to unencrypted kernel or /boot directory on USB drive so he could 
trojan it or do other nasty things to obtain my passphrase later.

Michal
-- 
"I do not fear computers. I fear the lack of them." -Isaac Asimov