Date: Fri, 19 May 2017 16:14:16 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: GnuPG smart card && geli Message-ID: <20170519161416.68df0fc8@gumby.homeunix.com> In-Reply-To: <20170519101806.1674fda0@gecko4> References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 May 2017 10:19:06 -0400 mfv via freebsd-questions wrote: > >This would lead to a system (netbook) which never can be booted or > >otherwise data read from and you can only boot it with the USB boot > >key, the USB GnuPG-card and the PIN (normally 6 digits). 6 digits doesn't sound very secure. > >Any comments on this? > > > > matthias > > > > Hello Matthias, > > I agree with your idea. Some time ago I did some research to find out > a method to read the password from a USB memory stick but was not > successful. I was not concerned with disk encryption, just wanted a > very long password, automatic login and no system access without a > hardware key. A geli device can be set-up to use a passphrase and/or a passfile. You could just put the passfile on a memory stick and not use a passphrase at all. FWIW I use a passfile to attach geli encrypted partitions, but the passfile is stored in a small geli encrypted file-backed md device that's passphrase protected. I did this just to avoid having to type any more than I need to, but that backing file could just as easily be on a memory stick.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170519161416.68df0fc8>