From owner-freebsd-geom@FreeBSD.ORG Mon Mar 6 11:30:37 2006 Return-Path: X-Original-To: freebsd-geom@freebsd.org Delivered-To: freebsd-geom@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 211F116A420 for ; Mon, 6 Mar 2006 11:30:37 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC1C443D68 for ; Mon, 6 Mar 2006 11:30:34 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 8CB275174A; Mon, 6 Mar 2006 12:30:33 +0100 (CET) Received: from localhost (ana50.internetdsl.tpnet.pl [83.17.82.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id C7CDF516E1; Mon, 6 Mar 2006 12:30:25 +0100 (CET) Date: Mon, 6 Mar 2006 12:30:00 +0100 From: Pawel Jakub Dawidek To: Christian Baer Message-ID: <20060306113000.GC53437@garage.freebsd.pl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-geom@freebsd.org Subject: Re: Changing geli-providers from passphrase to keyfile X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 11:30:37 -0000 --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 06, 2006 at 11:58:46AM +0100, Christian Baer wrote: +> geli supports changing passphrases. The question is, can I tell geli to +> attach a provider created with a passphrase using a keyfile? If this +> *is* possible, is it a good idea or rather not and, how is it done? No, this is not possible and AFAIR we discussed it in the last already. I'm not planning to add gbde(8)'s -p/-P options, because they only create confusion - they were designed to be used for testing and now are used in eg. /etc/rc.d/encswap. If you want to use one passphrase and still want PKCS#5v2 protection for it you're on your own. You may for example create one big file with random data and encrypt it with geli(8): # dd if=3D/dev/zero of=3D/etc/keys.bin bs=3D128k count=3D3 # mdconfig -a -f /etc/keys.bin # geli init md0 Enter new passphrase: Reenter new passphrase: # geli attach md0 Enter passphrase: # dd if=3D/dev/random of=3D/md0.eli bs=3D128k count=3D3 then use this random data to encrypt the real providers: # dd if=3D/dev/md0.eli bs=3D128k count=3D1 | geli attach -k - prov1 # dd if=3D/dev/md0.eli bs=3D128k skip=3D1 count=3D1 | geli attach -k - pro= v2 # dd if=3D/dev/md0.eli bs=3D128k skip=3D2 count=3D1 | geli attach -k - pro= v2 # geli detach md0 --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEDB04ForvXbEpPzQRAm+5AJ4shq8p+ByXJXmK1UujChDCLK8evgCbBFPL l6ZatxU30mXeizSg2CFLfGA= =b7/f -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE--