Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Mar 2006 12:30:00 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Christian Baer <christian.baer@informatik.uni-dortmund.de>
Cc:        freebsd-geom@freebsd.org
Subject:   Re: Changing geli-providers from passphrase to keyfile
Message-ID:  <20060306113000.GC53437@garage.freebsd.pl>
In-Reply-To: <duh4l6$uv8$3@nermal.rz1.convenimus.net>
References:  <duh4l6$uv8$3@nermal.rz1.convenimus.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--nmemrqcdn5VTmUEE
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Mar 06, 2006 at 11:58:46AM +0100, Christian Baer wrote:
+> geli supports changing passphrases. The question is, can I tell geli to
+> attach a provider created with a passphrase using a keyfile? If this
+> *is* possible, is it a good idea or rather not and, how is it done?

No, this is not possible and AFAIR we discussed it in the last already.

I'm not planning to add gbde(8)'s -p/-P options, because they only
create confusion - they were designed to be used for testing and now are
used in eg. /etc/rc.d/encswap.

If you want to use one passphrase and still want PKCS#5v2 protection for
it you're on your own. You may for example create one big file with
random data and encrypt it with geli(8):

	# dd if=3D/dev/zero of=3D/etc/keys.bin bs=3D128k count=3D3
	# mdconfig -a -f /etc/keys.bin
	# geli init md0
	Enter new passphrase:
	Reenter new passphrase:
	# geli attach md0
	Enter passphrase:
	# dd if=3D/dev/random of=3D/md0.eli bs=3D128k count=3D3

then use this random data to encrypt the real providers:

	# dd if=3D/dev/md0.eli bs=3D128k count=3D1 | geli attach -k - prov1
	# dd if=3D/dev/md0.eli bs=3D128k skip=3D1 count=3D1 | geli attach -k - pro=
v2
	# dd if=3D/dev/md0.eli bs=3D128k skip=3D2 count=3D1 | geli attach -k - pro=
v2
	# geli detach md0

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--nmemrqcdn5VTmUEE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEDB04ForvXbEpPzQRAm+5AJ4shq8p+ByXJXmK1UujChDCLK8evgCbBFPL
l6ZatxU30mXeizSg2CFLfGA=
=b7/f
-----END PGP SIGNATURE-----

--nmemrqcdn5VTmUEE--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060306113000.GC53437>