From owner-freebsd-geom@freebsd.org Sat Sep 15 19:37:49 2018 Return-Path: Delivered-To: freebsd-geom@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 874011082FE3 for ; Sat, 15 Sep 2018 19:37:49 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D9EB95FEF for ; Sat, 15 Sep 2018 19:37:48 +0000 (UTC) (envelope-from leeb@ratnaling.org) Received: by mail-it0-x234.google.com with SMTP id j198-v6so7588231ita.0 for ; Sat, 15 Sep 2018 12:37:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ratnaling-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=0NZYoNwmEqKP3CvFW+q7aug9gkdNyM/lhDlrMAtTL/E=; b=q9LukD4ys0J6LF75ALu62t/XHqr9ZS6+8qhR6aNSdKFrk3noC5YSocCQw2XoOTZUZU ujX4SbxnZU7K+tG226gd3K3wiA0PH8oUeva49ne2rHWDDCWMOWeLN8CgHEZzR9M3HPWe ray89UcMQtl7A/Jn7VHXaw4/ndeGTK+3BLhWgkKult4ZAo+8N9B1cLtAeqQub/BGfG3S Dhruk8x0kuOb47mLxREp3fFfEecfe6XkFRKp32USMY2u3PVfp5VSqLKSPy/65OW1Vldc GIzC4Dg6lsk7MDfjXTISixtfZj/QwAdlCjMNG2MneAvbMhOVuWqsgzLMVv881ME0gg8H 4e6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=0NZYoNwmEqKP3CvFW+q7aug9gkdNyM/lhDlrMAtTL/E=; b=ik4vthANtdCYqsfj2WVln86aoTAGnyFfGPNx4mocqRnLK5CMLzncj8+wvJxsI4oZzP 61B6bSKeuFmtjtfE1HaILIU3E+RPKwbC05klLMr7ijF2GBJOu7Hxh6EHXoopYppuGxyR +0gAkdRyvEmToedcB51se9xA2w+cukKduQerhkCCx+YFSc4vIudv0rgIAdBmonBPx5l+ xb9CVYK7L6R14rA61kE7yJPDJrp69BQJXFmJuGCx2DMB4uk+KHWzmLSK9tHwNnCg8NUy 5jb0F6GBq3VAiDzKVdm8nC3BDhjIvXWrLwJf7SrQq/sgvxQJtqK6gmvd8Zh4zwUPfsqf Fqsw== X-Gm-Message-State: APzg51AfJpevVJE/gdgIp1vHvOyFyCDO6fynuMtJhr9Fb+rKInr1opBi pWHp4Rvi0AITXXHSYcb7YIZre06cU6WQY+eAXZQPVOspiSU= X-Google-Smtp-Source: ANB0VdYFf96+bQZYPjsXu3nuSwYp3Ku1uksVt6K3Jof2DNbVPN4ZZz5SM5IPN5nwjQQJNuBuOr7mWchgRwCdDlrZEr4= X-Received: by 2002:a24:da47:: with SMTP id z68-v6mr7334990itg.59.1537040267402; Sat, 15 Sep 2018 12:37:47 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:d025:0:0:0:0:0 with HTTP; Sat, 15 Sep 2018 12:37:46 -0700 (PDT) In-Reply-To: <20180915201819.50ac10a3@gumby.homeunix.com> References: <20180915201819.50ac10a3@gumby.homeunix.com> From: Lee Brown Date: Sat, 15 Sep 2018 12:37:46 -0700 Message-ID: Subject: Re: geli - why do I need a keyfile To: freebsd-geom@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2018 19:37:49 -0000 On Sat, Sep 15, 2018 at 12:18 PM, RW via freebsd-geom < freebsd-geom@freebsd.org> wrote: > On Fri, 14 Sep 2018 17:55:58 -0700 > Lee Brown wrote: > > > I want to create a geli provider as authentication only, no password, > > no encryption. I do: > ... > > Instead: > > # echo " " > /tmp/key > > solves that issue, but I still don't get why I even need a key file > > with -e NULL? > > Because HMAC itself needs an encrypted secret key, otherwise anyone > could write to the device without it being detectable. > > Without a securely entered passphase, or a passfile on removable media, > HMAC doesn't provide any authentication, it just detects bitrot and > naive attempts to modify the filesystem. > > Thanks for the explanation, in retrospect I should have read up on HMAC. That's precisely my use-case data integrity verification only. I'm building a RAID1 gmirror on top of 2 geli providers, so if a disk rots it's detected. Now I just need to test how the gmirror reacts when the underlying geli faults. Much appreciated -- lee