Date: Mon, 6 Mar 2006 11:58:46 +0100 (CET) From: Christian Baer <christian.baer@informatik.uni-dortmund.de> To: freebsd-geom@freebsd.org Subject: Changing geli-providers from passphrase to keyfile Message-ID: <duh4l6$uv8$3@nermal.rz1.convenimus.net>
next in thread | raw e-mail | index | archive | help
Hello there, folks!
For security reasons [ what others are there? :-) ] I have several
drives encrypted with geli. I am quite happy with how this works -
appart from the speed maybe but that is a different matter.
As suggested by Pawel, I have written a little script for attaching and
mounting the encrypted filesystems. The whole thing works like this:
- I supply the passphrase.
- The script adds a little to the passphrase for each provider and
hashes it through sha256. This is now the *real* passphrase.[1]
- All the hashes (passphrases) are displayed on the screen.
- geli(8) ist started to attach each provider.
- I use copy and paste to "enter" each passphrase.
- All filesystems are checked by fsck and mounted.
Although diplaying the hashes isn't a real security problem because I
don't attach the providers when someone is looking over my shoulder and
even if, it is highly unlikely the he/she could remember the hashes and
after I'm done I erase the scrollback from the terminal, I don't like
the idea very much, because there is too much room for human error. I
have made mistakes before. :-)
I would really like to pipe the passphrase to geli using something like
this:
echo "passphrase" | geli attach /dev/ad0s1d
but geli ignores that. geli only 'likes' this if a keyfile is used, i.e.
you can pipe a keyfile to geli, but not a passphrase. I chose to use
passphrases instead of keyfiles because of PKCS and the use of salt,
which are both not used with keyfiles. If I want to change the script
for attaching the providers so I only type my passphrase once and the
rest runs by itself (no more hashes are displayed), I would have to
change the current providers.
geli supports changing passphrases. The question is, can I tell geli to
attach a provider created with a passphrase using a keyfile? If this
*is* possible, is it a good idea or rather not and, how is it done?
Regards
Chris
[1] The idea is that I only have to remember one passphrase and at the
same time, every provider has its own, completely different passphrase.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?duh4l6$uv8$3>