Date: Fri, 19 May 2017 17:47:34 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: GnuPG smart card && geli Message-ID: <20170519174734.1362cd6a@gumby.homeunix.com> In-Reply-To: <20170519152546.GB2249@c720-r314251> References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4> <20170519161416.68df0fc8@gumby.homeunix.com> <20170519152546.GB2249@c720-r314251>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 May 2017 17:25:46 +0200 Matthias Apitz wrote: > El d=C3=ADa viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via > freebsd-questions escribi=C3=B3: >=20 > > On Fri, 19 May 2017 10:19:06 -0400 > > mfv via freebsd-questions wrote: > > A geli device can be set-up to use a passphrase and/or a passfile. > > You could just put the passfile on a memory stick and not use > > a passphrase at all. =20 >=20 > *This* is very insecure when the key gets stolen or copied (i.e. you > may even not know that someone all the time can enter in your > system). When the GnuPG stick gets stolen, it is useless for > attackers due to missing PIN. I mentioned it solely because the key being stolen and used to access the device is explicitly not in his threat model.=20 > > FWIW I use a passfile to attach geli encrypted partitions, but the > > passfile is stored in a small geli encrypted file-backed md device > > that's passphrase protected. I did this just to avoid having to > > type any more than I need to, but that backing file could just as > > easily be on a memory stick. =20 >=20 > Yes, and can be opened with brute force attacks, depending on the key > length and the computing power. It depends on your threat model. For most people either are better than they need to be. If you think you might have to stand up to a serious attack by the likes of the NSA then you have to be certain that they can't bypass the 3 attempts limit on the card. =20 I'd also be seriously concerned about that 3 attempt limit locking me out of my data.=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170519174734.1362cd6a>