From owner-freebsd-geom@FreeBSD.ORG Wed May 27 11:45:49 2009 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90F05106566C for ; Wed, 27 May 2009 11:45:49 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 4E3F38FC1A for ; Wed, 27 May 2009 11:45:49 +0000 (UTC) (envelope-from dan.naumov@gmail.com) Received: by an-out-0708.google.com with SMTP id c3so2455504ana.13 for ; Wed, 27 May 2009 04:45:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=oH2V8tgF+NG1hXs58GEsTILOAZH3bqjzDbfWWXrvr9s=; b=R+Ho32JSR16rsIes6ToOSyuXkFEME0vJBUcl7sE5aikZnfctDVC2OkHf6dCVTIwHqB Jv9s16/6TYm+FWcNlkHzl3FkxnodlEn7defUBuwSnGcTihurkPam8OmE0NEdcFPIPAid ZjNw/YMhwNabq9zbi+LIMtUL3fGikbwTZIDJ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=rwPkd2uf5IO92sk7K1/hLWP1GbzZFXEPtmzB5w5H4EIqqHVvYhnMFrL4Sz3zIpzLW/ QDJsZFOZFfBRNtUUM8tfvxqE1y9Zd9769tm1qVIfm7/EjC5I+PsDruTA019rcuwG/i+j U04TOjn8tsWEHZ61YFmeT61mPXvsimM1czQYw= MIME-Version: 1.0 Received: by 10.100.92.2 with SMTP id p2mr17179002anb.7.1243424748437; Wed, 27 May 2009 04:45:48 -0700 (PDT) Date: Wed, 27 May 2009 14:45:48 +0300 Message-ID: From: Dan Naumov To: freebsd-geom@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Questions on GELI encryption X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 11:45:49 -0000 Hello (World) again :) Sorry for creating another discussion thread so fast, but I figured that since the new questions I have do not fall under the scope of "CPU horsepower requirements for GELI", I thought they deserved a new one: 1) I am reading the Handbook section on GELI ( http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html ) and I am a bit confused. The example a) creates a keyfile b) initializes a provider with the keyfile c) attaches the provider d) creates a new filesystem directly on the provider and e) mounts it Now, I am probably missing something very obvious, but are "slices" no longer a requirement for creating and using an UFS filesystem in FreeBSD? 2) The example in the Handbook encrypts the entire drive. If my system is going to use 1 big drive, I want /home and /data encrypted, while the rest of the system can stay non-encrypted, how should I go about doing this? Should I create a single big slice with 1 big root partition and 2 separated partitions for /home and /data and the initialise GELI on these specific partitions? Can basically anything be used a a "provider" for GELI? A disk drive, a slice, a partition inside a slice, a file? 3) The handbook states the following: "It is not mandatory that both a passphrase and a key file are used; either method of securing the Master Key can be used in isolation.". Now, how to use just the keyfile is pretty obvious, according to the geli manpage "geom init -P" will not use the passphrase as the key component. However, if I want to just protect my data using the passphrase and not use the keyfile(s), how do I do this? What are the implications of using only the passphrase instead of using both a passphrase and a keyfile? Thanks! Dan Naumov