From owner-freebsd-security@FreeBSD.ORG  Thu Sep  7 17:06:18 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 74FAA16A4DE;
	Thu,  7 Sep 2006 17:06:18 +0000 (UTC)
	(envelope-from piechota@argolis.org)
Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.192.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B2E5943D49;
	Thu,  7 Sep 2006 17:06:17 +0000 (GMT)
	(envelope-from piechota@argolis.org)
Received: from acropolis.argolis.org ([71.230.48.23])
	by comcast.net (rwcrmhc11) with ESMTP
	id <20060907170616m1100q331be>; Thu, 7 Sep 2006 17:06:16 +0000
Received: from acropolis.argolis.org (localhost [127.0.0.1])
	by acropolis.argolis.org (8.13.6/8.13.6) with ESMTP id k87H6EvW099714; 
	Thu, 7 Sep 2006 13:06:14 -0400 (EDT)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by acropolis.argolis.org (8.13.6/8.13.6/Submit) with ESMTP id
	k87H6Dcp099711; Thu, 7 Sep 2006 13:06:14 -0400 (EDT)
	(envelope-from piechota@argolis.org)
X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing
	-bs
Date: Thu, 7 Sep 2006 13:06:12 -0400 (EDT)
From: Matt Piechota <piechota@argolis.org>
To: Frank Steinborn <steinex@nognu.de>
In-Reply-To: <20060907122901.6205EB82C@shodan.nognu.de>
Message-ID: <20060907125622.G3820@acropolis.argolis.org>
References: <20060906210021.C2428B82C@shodan.nognu.de>
	<200609071019.46529.nvass@teledomenet.gr>
	<20060907122901.6205EB82C@shodan.nognu.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org,
	Nikos Vassiliadis <nvass@teledomenet.gr>
Subject: Re: Getting GELI Keys from Floppy
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2006 17:06:18 -0000

On Thu, 7 Sep 2006, Frank Steinborn wrote:

> I could use /dev/fd0 directly but then I had to use the same key for
> all 6 HDD's in the server. I got a solution by hacking /etc/rc.d/geli
> - I'm just mounting the floppy there before it tries to read the key.

You could read different parts of the floppy for different keys.

Speaking of which, do the keys have any identifiable strings in them?  If 
not, you could fill the floppy with random garbage and 'hide' the key. 
I'm assuming since you don't want a password you don't want the boot to 
require interaction so it's not that useful, but if nothing else it would 
help if someone got access to the floppy (remotely or by physical access).

-- 
Matt Piechota