From owner-freebsd-geom@FreeBSD.ORG Tue Dec 31 22:03:47 2013 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3357E7E6 for ; Tue, 31 Dec 2013 22:03:47 +0000 (UTC) Received: from cargobay.net (cargobay.net [162.220.58.155]) by mx1.freebsd.org (Postfix) with ESMTP id 10DF513D7 for ; Tue, 31 Dec 2013 22:03:46 +0000 (UTC) Received: from [192.168.0.16] (unknown [65.35.151.3]) by cargobay.net (Postfix) with ESMTPSA id A746E1D84; Tue, 31 Dec 2013 22:03:06 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: HAST + GELI? From: "Chad J. Milios" X-Mailer: iPhone Mail (11B554a) In-Reply-To: Date: Tue, 31 Dec 2013 17:03:33 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com> References: To: Karl Pielorz Cc: "freebsd-geom@freebsd.org" X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Dec 2013 22:03:47 -0000 Either way works great. Both ways have their benefits, pains and pitfalls. I= t depends on your use case, configuration, hardware, adversaries, etc. Like m= ost security solutions, the devil, and weaknesses, lay in the details, like n= etwork engineering and key management. Care to elaborate for us? By the way, I'll just point out, always, and now more so than ever in light o= f NSA and TAO, that full disk encryption is not the magic bullet we'd hope. A= bout all you should expect from GELI is that it makes hard drive _disposal_ s= afer and easier at a drives EOL, and even then not totally so. That being sa= id, there is a worthwhile benefit _possible_ to achieve in the use case of a= portable device and many a data breach would have been prevented by proper a= pplication of GELI in that circumstance. "Highly available" servers have a lot less practical use for GELI especially= if either is colocated. If both of your HAST nodes are in your own faciliti= es and you have a tight and practiced mayday procedure, perhaps in addition t= o an automated system to trigger panic mode, it has some very good merit. In other cases software based full disk encryption is really only going to t= hwart or inconvenience the weakest of adversaries, which of course may be al= l you need or the best you can hope for. I use GELI almost everywhere and I'= ve deployed it both ways with HAST depending on the situation. Neither can b= e credited as the reason I get any sleep at night (simple exhaustion and uni= mportance in the cosmic scale are what do it for me) though they can certain= ly have their place in a well thought out security plan/procedure, if such a= thing exists. > On Dec 30, 2013, at 5:58 PM, Karl Pielorz wrote: >=20 >=20 > Hi All, >=20 > As I don't currently have the requisite two boxes to try this... Is it lik= ely / possible you can use HAST with GELI? - i.e. to have a highly available= , but encrypted-on-disk device? >=20 > If so are you better of creating GELI devices (i.e. .eli) and running HAST= on those, or creating HAST devices - and running GELI on those? >=20 > Thanks, >=20 > -Karl > _______________________________________________ > freebsd-geom@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org"