From owner-freebsd-geom@FreeBSD.ORG Mon Jan 30 20:13:05 2006 Return-Path: X-Original-To: freebsd-geom@freebsd.org Delivered-To: freebsd-geom@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D92D216A420 for ; Mon, 30 Jan 2006 20:13:05 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F6AC43D48 for ; Mon, 30 Jan 2006 20:13:05 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id AABE650A7F; Mon, 30 Jan 2006 21:13:03 +0100 (CET) Received: from localhost (dlt101.neoplus.adsl.tpnet.pl [83.24.49.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id A047E50A16; Mon, 30 Jan 2006 21:12:57 +0100 (CET) Date: Mon, 30 Jan 2006 21:12:52 +0100 From: Pawel Jakub Dawidek To: Christian Baer Message-ID: <20060130201252.GB928@garage.freebsd.pl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LyciRD1jyfeSSjG0" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: freebsd-geom@freebsd.org Subject: Re: A few things about GELI X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2006 20:13:06 -0000 --LyciRD1jyfeSSjG0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 30, 2006 at 04:46:38PM +0100, Christian Baer wrote: +> The question is more of an academic nature, but interesting just the +> same: Can it be said that GELI is more secure (by design) than GBDE or +> vice versa? The differences are not only of cosmetic nature or in the +> user interface, but there is a real difference within the concept. Can +> one of these approaches be called more secure than the other[2]? I'm not going to answer this. In my opinion both are secure enough for most uses (ie. for data privacy). +> Are there any plans to add additional ciphers like Twofish or Serpant to +> GELI? If those will be added to crypto(9) it will be trivial to add them to geli(8). +> What does this "sector-to-sector encryption" mean and how is it +> different from GBDE's approach? In GBDE there is one sector with keys per 32 sectors with data. In GELI there is one main key and each data sector is represented by exactly one sector in *.eli provider. +> Are there plans for a geli(4) manpage inspired by gbde(4) manpage? It +> just shows the non-expert wonderfully, how it works and how safe it is +> (in numbers). Yes, there are plans... +> GBDE wants to be attached to a partition like adxs1d. The examples in +> the handbook however suggest that GELI should be attached to the +> hardware-device adx and not to a partition. Why is this so? I am +> guessing that GELI would be just as happy to be attached to ad1s1d as to +> ad1 (wouldn't this be mandatory if there were more than one partition on +> the drive?), but does this have any (dis-) advantages? Both gbde(8) and geli(8) can work just fine with any GEOM providers (disks, partitions, slices, mirrors, stripes, etc.). +> If I were to use encrypted swap space I couldn't use the fstab for these +> anymore. Should I do this with a start-up script and if so, where should +> I put it? 'Where' as in 'where should it be in the boot-order?' For swap devices you simply can put /dev/adXs1.eli to /etc/fstab and /etc/rc.d/encswap script will detect .eli suffix and configure it with one-time key. +> Basicly the same thing goes for temp-space. When should it be mounted. +> And more importantly, if I use a new key every time, wouldn't I need a +> newfs during every boot - before I mount /tmp? There is no rc.d script for this yet. So now you need to put something like this into /etc/rc.early: prov=3D`mdconfig -a -t swap -s 64m` geli onetime /dev/${prov} newfs /dev/${prov} +> [2] I don't see either of them being cracked any time soon and if either +> were attacked it would probably be easier to brute force the +> passphrase than to attack the architecture itself. In geli(8) password is protected with PKCS#5v2. On my laptop my passphrase is protected with 131072 interactions, which bascially means it is 2^17 times harder to break. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --LyciRD1jyfeSSjG0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD3nNEForvXbEpPzQRAof6AKCxH5S6uOXZKF+wUgB8zmCEssp++gCeLHw3 jbsYgbnoaLENZ7fHqrEa5/4= =wMid -----END PGP SIGNATURE----- --LyciRD1jyfeSSjG0--