From owner-freebsd-hackers@FreeBSD.ORG Fri Oct 10 21:58:56 2014 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A5B9783 for ; Fri, 10 Oct 2014 21:58:56 +0000 (UTC) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [108.61.84.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1FBA798E for ; Fri, 10 Oct 2014 21:58:55 +0000 (UTC) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.14.7/8.14.7) with ESMTP id s9ALwhmh006744 for ; Fri, 10 Oct 2014 17:58:43 -0400 (EDT) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.14.7/8.14.7/Submit) id s9ALwhAb006743 for hackers@freebsd.org; Fri, 10 Oct 2014 17:58:43 -0400 (EDT) (envelope-from mwlucas) Date: Fri, 10 Oct 2014 17:58:42 -0400 From: "Michael W. Lucas" To: hackers@freebsd.org Subject: GBDE not protecting the user Message-ID: <20141010215842.GA6717@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.michaelwlucas.com X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2014 21:58:56 -0000 [Tried questions@, no answer, and the code contains things I just cannot trigger.] Hi, Been playing with GBDE a while, trying to make it protect me. One of the features of GBDE is that it should "provide tangible feedback" that the data has been destroyed. (See PHK's paper at http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf, section 4.1.) The man page doesn't mention how to make GBDE whine, so what the heck, let's make it tell me the keys are destroyed. Creating GBDE devices is very simple. # gbde init /dev/gpt/encrypted -L /etc/encrypted.lock I created a filesystem, mounted it, put files on it, unmounted. There's two operations to wipe out a GBDE: nuke and destroy. Nuke looks like the right thing. I nuke all the keys: # gbde nuke gpt/encrypted -l /etc/encrypted.lock -n -1 Enter passphrase: Opened with key 0 Nuked key 0 Nuked key 1 Nuked key 2 Nuked key 3 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The .bde device isn't there, and my filesystem is gone. But I received no confirmation that the keys were destroyed. I also didn't get a message that the device couldn't be attached, although it clearly isn't. Fine. Let's try 'gbde destroy'. # gbde init /dev/gpt/encrypted -L /etc/encrypted.lock Enter new passphrase: Reenter new passphrase: # gbde destroy gpt/encrypted -l /etc/encrypted.lock Enter passphrase: Opened with key 0 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The device isn't attached, it just fails silently. And failing with a specific complaint is the whole point of GBDE. Did I misunderstand the GBDE functionality? Am I missing something daft? Has this code just decayed with GELI's arrival? Thanks, ==ml -- Michael W. Lucas - mwlucas@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/