From owner-freebsd-questions@freebsd.org Fri May 19 17:27:36 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D73AD73576 for ; Fri, 19 May 2017 17:27:36 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B7851645 for ; Fri, 19 May 2017 17:27:35 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [88.217.98.249] (helo=[192.168.2.102]) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dBlga-0006c6-Vo for freebsd-questions@freebsd.org; Fri, 19 May 2017 19:27:33 +0200 From: Matthias Apitz To: Subject: Re: GnuPG smart card && geli Date: Fri, 19 May 2017 19:27:31 +0200 User-Agent: Dekko/0.6.20; Qt/5.4.1; ubuntumirclient; Linux; MIME-Version: 1.0 Message-ID: <710e7cbb-9835-4e91-8cd0-2321cdf13cdf@unixarea.de> In-Reply-To: <20170519174734.1362cd6a@gumby.homeunix.com> References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4> <20170519161416.68df0fc8@gumby.homeunix.com> <20170519152546.GB2249@c720-r314251> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 88.217.98.249 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2017 17:27:36 -0000 On Friday, 19 May 2017 18:47:34 CEST, RW via freebsd-questions=20 wrote: > On Fri, 19 May 2017 17:25:46 +0200 > Matthias Apitz wrote: > >> El d=C3=ADa viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via >> freebsd-questions escribi=C3=B3: >>=20 >> > On Fri, 19 May 2017 10:19:06 -0400 >> > mfv via freebsd-questions wrote: > >> > A geli device can be set-up to use a passphrase and/or a passfile. >> > You could just put the passfile on a memory stick and not use >> > a passphrase at all. =20 >>=20 >> *This* is very insecure when the key gets stolen or copied (i.e. you >> may even not know that someone all the time can enter in your >> system). When the GnuPG stick gets stolen, it is useless for >> attackers due to missing PIN. > > I mentioned it solely because the key being stolen and used to access > the device is explicitly not in his threat model.=20 > > >> > FWIW I use a passfile to attach geli encrypted partitions, but the >> > passfile is stored in a small geli encrypted file-backed md device >> > that's passphrase protected. I did this just to avoid having to >> > type any more than I need to, but that backing file could just as >> > easily be on a memory stick. =20 >>=20 >> Yes, and can be opened with brute force attacks, depending on the key >> length and the computing power. > > It depends on your threat model. For most people either are better than > they need to be. If you think you might have to stand up to a serious > attack by the likes of the NSA then you have to be certain that > they can't bypass the 3 attempts limit on the card. =20 > > I'd also be seriously concerned about that 3 attempt limit locking me > out of my data.=20 On the GnuPG card you have an admin account with another PIN (in my case 8=20= digits) to unlock your locked SIM, with 3 attemps too. After this, the card=20= is to.throw away, if you fail. --=20 Sent from my Ubuntu phone http://www.unixarea.de/