From owner-freebsd-geom@FreeBSD.ORG  Wed Jan  1 17:34:13 2014
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E57AF708
 for <freebsd-geom@freebsd.org>; Wed,  1 Jan 2014 17:34:13 +0000 (UTC)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 86EE1165B
 for <freebsd-geom@freebsd.org>; Wed,  1 Jan 2014 17:34:13 +0000 (UTC)
Received: from study64.tdx.co.uk (study64.tdx.co.uk [62.13.130.231])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id s01HY0T8021317
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 1 Jan 2014 17:34:00 GMT
Date: Wed, 01 Jan 2014 17:34:00 +0000
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: "Chad J. Milios" <milios@ccsys.com>
Subject: Re: HAST + GELI?
Message-ID: <2EB9462086A3E79F9C337122@study64.tdx.co.uk>
In-Reply-To: <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com>
References: <DEDAAAFBF4A1B918B9D76639@study64.tdx.co.uk>
 <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: freebsd-geom@freebsd.org
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: GEOM-specific discussions and implementations
 <freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom/>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jan 2014 17:34:14 -0000



--On 31 December 2013 17:03:33 -0500 "Chad J. Milios" <milios@ccsys.com> 
wrote:

> Either way works great. Both ways have their benefits, pains and
> pitfalls.

I guess HAST on top of GELI means both systems share the crypto load, 
whereas GELI ontop of HAST means one box ends up doing the crypto work for 
both 'sides' of the HAST devices... [if I've got that the right way round] 
- so HAST on GELI is probably the better way to go.

> It depends on your use case, configuration, hardware,
> adversaries, etc. Like most security solutions, the devil, and
> weaknesses, lay in the details, like network engineering and key
> management. Care to elaborate for us?

There's not a lot to elaborate - I want more redundancy for a home system 
with the added benefit if someone happens to steal either box - I don't 
want them getting 'easy access' to family photos, emails info etc.

> In other cases software based full disk encryption is really only going
> to thwart or inconvenience the weakest of adversaries,

Hehe - if that means the person who breaks in and steals it just scraps it 
rather than gets to go through all the data - that's fine by me :) But 
point kinda taken :-)

-Karl