Date: Wed, 01 Jan 2014 17:34:00 +0000 From: Karl Pielorz <kpielorz_lst@tdx.co.uk> To: "Chad J. Milios" <milios@ccsys.com> Cc: freebsd-geom@freebsd.org Subject: Re: HAST + GELI? Message-ID: <2EB9462086A3E79F9C337122@study64.tdx.co.uk> In-Reply-To: <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com> References: <DEDAAAFBF4A1B918B9D76639@study64.tdx.co.uk> <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On 31 December 2013 17:03:33 -0500 "Chad J. Milios" <milios@ccsys.com> wrote: > Either way works great. Both ways have their benefits, pains and > pitfalls. I guess HAST on top of GELI means both systems share the crypto load, whereas GELI ontop of HAST means one box ends up doing the crypto work for both 'sides' of the HAST devices... [if I've got that the right way round] - so HAST on GELI is probably the better way to go. > It depends on your use case, configuration, hardware, > adversaries, etc. Like most security solutions, the devil, and > weaknesses, lay in the details, like network engineering and key > management. Care to elaborate for us? There's not a lot to elaborate - I want more redundancy for a home system with the added benefit if someone happens to steal either box - I don't want them getting 'easy access' to family photos, emails info etc. > In other cases software based full disk encryption is really only going > to thwart or inconvenience the weakest of adversaries, Hehe - if that means the person who breaks in and steals it just scraps it rather than gets to go through all the data - that's fine by me :) But point kinda taken :-) -Karl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2EB9462086A3E79F9C337122>