Date: Thu, 7 Sep 2006 10:29:03 -0500 From: "Jack Barnett" <jackbarnett@gmail.com> To: freebsd-security@freebsd.org Cc: Frank Steinborn <steinex@nognu.de> Subject: Re: Getting GELI Keys from Floppy Message-ID: <dedb607c0609070829k37572e6fu2c497d09ef81f091@mail.gmail.com> In-Reply-To: <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's a really good idea. - Removable media with key (so you can take it out for security reasons) and using a key so don't have to type in a passphrase each time. btw, is there any good document on GELI? One idea is having 1 server with a CD-ROM drive and exporting it via NFS. When a server boots it mounts the remote CD-ROM drive and looks for key "$HOSTNAME.key". CDs are reliable - hold a good amount of data (enough for lots of keys) and can be removed and taken with you. -J On 9/7/06, Bob Johnson <fbsdlists@gmail.com> wrote: > > On 9/6/06, Barkley Vowk <bvowk@math.ualberta.ca> wrote: > > You are a complete madman. You want to protect your data with a key > stored > > on the most completely and utterly unreliable form of data storage still > > lamentably in use? Its not the 1970's anymore, get a real data storage > > medium! > > > > Get a usb flash drive, from there its a simple matter of changing the > geli > > script to mount a specific usb device before starting. Look in > > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the > > kldstat and the "if [ -z" in the geli_start() sub. > > I have floppies from the 1980s that are still readable, but I have > never had a USB flash drive last more than six months when actually in > use. For important data, I trust a floppy far more than I trust a > flash drive. The big problem with floppies is they don't hold enough > data. For that matter, writeable CDs and DVDs have proven to be much > less reliable than floppies, too. > > - Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dedb607c0609070829k37572e6fu2c497d09ef81f091>