From owner-freebsd-questions@freebsd.org Fri May 19 16:47:41 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 653BAD747D1 for ; Fri, 19 May 2017 16:47:41 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wr0-x243.google.com (mail-wr0-x243.google.com [IPv6:2a00:1450:400c:c0c::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F2EF01C3A for ; Fri, 19 May 2017 16:47:40 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wr0-x243.google.com with SMTP id v42so3471422wrc.3 for ; Fri, 19 May 2017 09:47:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=3euLFxGMeEUZ1p2EkwompguREEqdY8FlP25SF3PQJAs=; b=SPox2o1kYbBHMwNfZhUSkXm1HdP5k27j3xhv2k8yl6AwsExntl9acrkWnVqCI2+qkg Vvpook4PqYl3NYQZENIsGevNsGpj+fyyUVmwUGIbtVcMWNfpc+Yofmb4vdkgsvrP9NOL BUCFhR1YMssBLDTomjegh05zEAgfHkEp6pqBhIM4ywrGxbUlJg4Eq//UiLdWE9DJp4MK S94Vyhlt/oAtWjXcrgzV1LEtLVpZU6cYU5Ivm7bWm1TFC5DTl4f06rAmWqrQROsWgKuT Q8hbg9O2THQDq4ie0t2V6qPlW/eSBscCLBqEbxFAEjryZSwj3FzEo4sPcBRzsoebRXYa PqZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3euLFxGMeEUZ1p2EkwompguREEqdY8FlP25SF3PQJAs=; b=UkmyFUVS9fTu7cnu+sb7qmI/N3wonhQbqnX7CS4chAq6ToIpwQYN9xP0e2L+FRSl03 px5vGiqxiD+PW0HJfkfD+XVuI+ijEXXQ6S0DdWsZy+aZYG9xENt8P7sqvtTE2Zwz/Nzs DNlspQMzfUXq+V/EZlrSFFavtxBMbjWnZiwlgAEczPiusZdPiCGjvBHhBOKUUeYwAY5O wD1hTWPTThFDqeeszsLqAajf5icEOuiFLZplRWjg+494GFF6BsJFVGK4jtyNMth9+efC AQNS0H4GH13YJF03wR4m0sBu35+IzJOYej603sJe1SO6JncfgCgBeUW0q7CtAH5TGOo7 iVWA== X-Gm-Message-State: AODbwcA2nReeVB5KK87UaENhD4jKoAbRQH0Kfak5w1mdcxjMvMOQYeeb oaOVRAvli/zUeQMJ X-Received: by 10.223.150.74 with SMTP id c10mr3643261wra.85.1495212458662; Fri, 19 May 2017 09:47:38 -0700 (PDT) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id s10sm3180848wmb.8.2017.05.19.09.47.36 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 19 May 2017 09:47:37 -0700 (PDT) Date: Fri, 19 May 2017 17:47:34 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: GnuPG smart card && geli Message-ID: <20170519174734.1362cd6a@gumby.homeunix.com> In-Reply-To: <20170519152546.GB2249@c720-r314251> References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4> <20170519161416.68df0fc8@gumby.homeunix.com> <20170519152546.GB2249@c720-r314251> X-Mailer: Claws Mail 3.15.0 (GTK+ 2.24.31; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 16:47:41 -0000 On Fri, 19 May 2017 17:25:46 +0200 Matthias Apitz wrote: > El d=C3=ADa viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via > freebsd-questions escribi=C3=B3: >=20 > > On Fri, 19 May 2017 10:19:06 -0400 > > mfv via freebsd-questions wrote: > > A geli device can be set-up to use a passphrase and/or a passfile. > > You could just put the passfile on a memory stick and not use > > a passphrase at all. =20 >=20 > *This* is very insecure when the key gets stolen or copied (i.e. you > may even not know that someone all the time can enter in your > system). When the GnuPG stick gets stolen, it is useless for > attackers due to missing PIN. I mentioned it solely because the key being stolen and used to access the device is explicitly not in his threat model.=20 > > FWIW I use a passfile to attach geli encrypted partitions, but the > > passfile is stored in a small geli encrypted file-backed md device > > that's passphrase protected. I did this just to avoid having to > > type any more than I need to, but that backing file could just as > > easily be on a memory stick. =20 >=20 > Yes, and can be opened with brute force attacks, depending on the key > length and the computing power. It depends on your threat model. For most people either are better than they need to be. If you think you might have to stand up to a serious attack by the likes of the NSA then you have to be certain that they can't bypass the 3 attempts limit on the card. =20 I'd also be seriously concerned about that 3 attempt limit locking me out of my data.=20