Date: Mon, 6 Mar 2006 11:58:46 +0100 (CET) From: Christian Baer <christian.baer@informatik.uni-dortmund.de> To: freebsd-geom@freebsd.org Subject: Changing geli-providers from passphrase to keyfile Message-ID: <duh4l6$uv8$3@nermal.rz1.convenimus.net>
next in thread | raw e-mail | index | archive | help
Hello there, folks! For security reasons [ what others are there? :-) ] I have several drives encrypted with geli. I am quite happy with how this works - appart from the speed maybe but that is a different matter. As suggested by Pawel, I have written a little script for attaching and mounting the encrypted filesystems. The whole thing works like this: - I supply the passphrase. - The script adds a little to the passphrase for each provider and hashes it through sha256. This is now the *real* passphrase.[1] - All the hashes (passphrases) are displayed on the screen. - geli(8) ist started to attach each provider. - I use copy and paste to "enter" each passphrase. - All filesystems are checked by fsck and mounted. Although diplaying the hashes isn't a real security problem because I don't attach the providers when someone is looking over my shoulder and even if, it is highly unlikely the he/she could remember the hashes and after I'm done I erase the scrollback from the terminal, I don't like the idea very much, because there is too much room for human error. I have made mistakes before. :-) I would really like to pipe the passphrase to geli using something like this: echo "passphrase" | geli attach /dev/ad0s1d but geli ignores that. geli only 'likes' this if a keyfile is used, i.e. you can pipe a keyfile to geli, but not a passphrase. I chose to use passphrases instead of keyfiles because of PKCS and the use of salt, which are both not used with keyfiles. If I want to change the script for attaching the providers so I only type my passphrase once and the rest runs by itself (no more hashes are displayed), I would have to change the current providers. geli supports changing passphrases. The question is, can I tell geli to attach a provider created with a passphrase using a keyfile? If this *is* possible, is it a good idea or rather not and, how is it done? Regards Chris [1] The idea is that I only have to remember one passphrase and at the same time, every provider has its own, completely different passphrase.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?duh4l6$uv8$3>