Date: Sat, 15 Sep 2018 20:18:19 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-geom@freebsd.org Subject: Re: geli - why do I need a keyfile Message-ID: <20180915201819.50ac10a3@gumby.homeunix.com> In-Reply-To: <CAFPNf588xqRYZRoCACr2n_NyfMsMvrXPR4_DjWy4evBY_1HaAQ@mail.gmail.com> References: <CAFPNf588xqRYZRoCACr2n_NyfMsMvrXPR4_DjWy4evBY_1HaAQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 14 Sep 2018 17:55:58 -0700 Lee Brown wrote: > I want to create a geli provider as authentication only, no password, > no encryption. I do: ... > Instead: > # echo " " > /tmp/key > solves that issue, but I still don't get why I even need a key file > with -e NULL? Because HMAC itself needs an encrypted secret key, otherwise anyone could write to the device without it being detectable. Without a securely entered passphase, or a passfile on removable media, HMAC doesn't provide any authentication, it just detects bitrot and naive attempts to modify the filesystem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180915201819.50ac10a3>