From owner-freebsd-questions@freebsd.org Fri May 19 15:25:57 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCA77D73BF1 for ; Fri, 19 May 2017 15:25:57 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 83B4F189E for ; Fri, 19 May 2017 15:25:57 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [88.217.98.249] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dBjml-0003pT-S2 for freebsd-questions@freebsd.org; Fri, 19 May 2017 17:25:48 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v4JFPkS5002339 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 19 May 2017 17:25:47 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v4JFPkkI002338 for freebsd-questions@freebsd.org; Fri, 19 May 2017 17:25:46 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Fri, 19 May 2017 17:25:46 +0200 From: Matthias Apitz To: freebsd-questions@freebsd.org Subject: Re: GnuPG smart card && geli Message-ID: <20170519152546.GB2249@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-questions@freebsd.org References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4> <20170519161416.68df0fc8@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20170519161416.68df0fc8@gumby.homeunix.com> X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 88.217.98.249 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 15:25:57 -0000 El d=C3=ADa viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via freebs= d-questions escribi=C3=B3: > On Fri, 19 May 2017 10:19:06 -0400 > mfv via freebsd-questions wrote: >=20 >=20 > > >This would lead to a system (netbook) which never can be booted or > > >otherwise data read from and you can only boot it with the USB boot > > >key, the USB GnuPG-card and the PIN (normally 6 digits). >=20 >=20 > 6 digits doesn't sound very secure. You can use as may digits you want (and can remember). Already 6 is *very* secure because you have only 3 time to guess the right one, i.e. no brute force. >=20 > > >Any comments on this? > > > > > > matthias > > > =20 > >=20 > > Hello Matthias, > >=20 > > I agree with your idea. Some time ago I did some research to find out > > a method to read the password from a USB memory stick but was not > > successful. I was not concerned with disk encryption, just wanted a > > very long password, automatic login and no system access without a > > hardware key. =20 >=20 > A geli device can be set-up to use a passphrase and/or a passfile. You > could just put the passfile on a memory stick and not use > a passphrase at all. *This* is very insecure when the key gets stolen or copied (i.e. you may even not know that someone all the time can enter in your system). When the GnuPG stick gets stolen, it is useless for attackers due to missing PIN. > FWIW I use a passfile to attach geli encrypted partitions, but the > passfile is stored in a small geli encrypted file-backed md device > that's passphrase protected. I did this just to avoid having to type any > more than I need to, but that backing file could just as easily be on a > memory stick. =20 Yes, and can be opened with brute force attacks, depending on the key length and the computing power. matthias --=20 Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d= e/ =E2=98=8E +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. May 8, 1945: Who does not celebrate lost the War.