Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Oct 2010 11:38:58 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: geli keys
Message-ID:  <20101025113858.66b5a3e7@gumby.homeunix.com>
In-Reply-To: <20101025030711.GA84564@admin.sibptus.tomsk.ru>
References:  <20101024101457.GA72426@admin.sibptus.tomsk.ru> <20101024123238.34c4344a@gumby.homeunix.com> <20101025030711.GA84564@admin.sibptus.tomsk.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 25 Oct 2010 10:07:11 +0700
Victor Sudakov <sudakov@sibptus.tomsk.ru> wrote:

> RW wrote:
> > > 
> > > The geli(8) man page suggests initializing a geli provider with a
> > > random keyfile (geli init -K). It also asks for a passphrase by
> > > default.
> > > 
> > > What happens if a provider is initialized without the -K option,
> > > just with a passphrase? Will there be no encryption? Encryption
> > > will be weaker?
> > 
> > You can use either or both, they get combined. 
> 
> I see.
> 
> > It's hard to remember a passphrase that contains 256 bits of
> > entropy, OTOH a passfile might get stolen, so some people will want
> > to use both.
> 
> Why does the geli(8) man page always use a 64B long keyfile as an
> example? Why 64 bytes and not 128 or 1024 or whatever?

IIRC geli allows for up to 512 bit keysizes - although there are no
512 ciphers at the moment. Keyfiles with more than 512 bit of entropy
are no better. Actually a single write from /dev/random is unlikely to
contain much more than  256-bits of entropy anyway.

> What if I use a well randomized keyfile and a weak passphrase, will
> the master key be weaker?

The keyfile and passphrase are used to encrypt the masterkey.

As long as a strong keyfile is secure the passphrase strength is
irrelevant, but if an attacker has the file then the passphrase may be
bruteforced. Geli's use of PKCS #5 and salting provide some protection
against this. 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101025113858.66b5a3e7>