Date: Mon, 30 Jan 2006 17:46:45 +0100 From: Christian Brueffer <chris@unixpages.org> To: Christian Baer <christian.baer@informatik.uni-dortmund.de> Cc: freebsd-geom@freebsd.org Subject: Re: A few things about GELI Message-ID: <20060130164645.GA1486@haakonia.hitnet.RWTH-Aachen.DE> In-Reply-To: <drlccu$1uv6$2@nermal.rz1.convenimus.net> References: <drlccu$1uv6$2@nermal.rz1.convenimus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 30, 2006 at 04:46:38PM +0100, Christian Baer wrote: > Good afternoon[1], fellow readers! :-) >=20 > Because I wanted something new to play with and because I found the idea > of encrypting swap and temp space, I decided to give GELI a try. The > idea of using crypto(9) seems good too, because that way hardware > support is added at no extra cost - I know, that was part of the reason, > why GELI was written. :-) >=20 > Note: > This thread is not really related to the one I started on the security > mailing-list. Because of the existing crypto-hardware GELI won that > race described there. This here is more of personal interest. >=20 > The question is more of an academic nature, but interesting just the > same: Can it be said that GELI is more secure (by design) than GBDE or > vice versa? The differences are not only of cosmetic nature or in the > user interface, but there is a real difference within the concept. Can > one of these approaches be called more secure than the other[2]? >=20 There was a huge thread about this very topic on one of the NetBSD lists and freebsd-hackers@ between phk and the guy that implemented cgd for NetBSD (very similar in concept to geli). So, if you're interested in the gory details, I suggest you look that thread up. To cut it short: opinions differ greatly. >=20 > Are there plans for a geli(4) manpage inspired by gbde(4) manpage? It > just shows the non-expert wonderfully, how it works and how safe it is > (in numbers). >=20 That would be very useful indeed. > Now for some *real* questions... :-) >=20 > GBDE wants to be attached to a partition like adxs1d. The examples in > the handbook however suggest that GELI should be attached to the > hardware-device adx and not to a partition. Why is this so? I am > guessing that GELI would be just as happy to be attached to ad1s1d as to > ad1 (wouldn't this be mandatory if there were more than one partition on > the drive?), but does this have any (dis-) advantages? >=20 You can encrypt arbitrary providers with geli (same as with gbde). E.g. on my notebook I have encrypted ad0s1f with geli and have it attach at boot with the corresponding rc.conf variables. > If I were to use encrypted swap space I couldn't use the fstab for these > anymore. Should I do this with a start-up script and if so, where should > I put it? 'Where' as in 'where should it be in the boot-order?' >=20 To have your partitions encrypted, you just have to add .eli (for geli) or .bde (for gbde) to your device name in /etc/fstab, e.g. /dev/ad0s1b.eli on my notebook. The /etc/rc.d/encswap script does the rest automagically. That means you don't have to worry about the boot-order. (The above is true for 7-CURRENT and 6-STABLE, I'm not sure whether encswap was part of 6.0-RELEASE. For older versions, there were special gbde optio= ns for rc.conf). > Basicly the same thing goes for temp-space. When should it be mounted. > And more importantly, if I use a new key every time, wouldn't I need a > newfs during every boot - before I mount /tmp? >=20 You could use a tmpmfs (see corresponding rc.conf variables). Adding it to the geli_devices variable probably just works(tm), but it depends on the order of the rc scripts. - Christian --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD3kL1bHYXjKDtmC0RApr7AKDR6hNdBuIoT5FleaHYvTr+qCis/wCfa3Jr 6O/DyfZw1DCbhqConl03QuU= =pVdm -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060130164645.GA1486>