Date: Fri, 19 May 2017 19:27:31 +0200 From: Matthias Apitz <guru@unixarea.de> To: <freebsd-questions@freebsd.org> Subject: Re: GnuPG smart card && geli Message-ID: <710e7cbb-9835-4e91-8cd0-2321cdf13cdf@unixarea.de> In-Reply-To: <20170519174734.1362cd6a@gumby.homeunix.com> References: <20170517103822.GB16462@c720-r314251> <20170519101806.1674fda0@gecko4> <20170519161416.68df0fc8@gumby.homeunix.com> <20170519152546.GB2249@c720-r314251>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, 19 May 2017 18:47:34 CEST, RW via freebsd-questions=20 <freebsd-questions@freebsd.org> wrote: > On Fri, 19 May 2017 17:25:46 +0200 > Matthias Apitz wrote: > >> El d=C3=ADa viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via >> freebsd-questions escribi=C3=B3: >>=20 >> > On Fri, 19 May 2017 10:19:06 -0400 >> > mfv via freebsd-questions wrote: > >> > A geli device can be set-up to use a passphrase and/or a passfile. >> > You could just put the passfile on a memory stick and not use >> > a passphrase at all. =20 >>=20 >> *This* is very insecure when the key gets stolen or copied (i.e. you >> may even not know that someone all the time can enter in your >> system). When the GnuPG stick gets stolen, it is useless for >> attackers due to missing PIN. > > I mentioned it solely because the key being stolen and used to access > the device is explicitly not in his threat model.=20 > > >> > FWIW I use a passfile to attach geli encrypted partitions, but the >> > passfile is stored in a small geli encrypted file-backed md device >> > that's passphrase protected. I did this just to avoid having to >> > type any more than I need to, but that backing file could just as >> > easily be on a memory stick. =20 >>=20 >> Yes, and can be opened with brute force attacks, depending on the key >> length and the computing power. > > It depends on your threat model. For most people either are better than > they need to be. If you think you might have to stand up to a serious > attack by the likes of the NSA then you have to be certain that > they can't bypass the 3 attempts limit on the card. =20 > > I'd also be seriously concerned about that 3 attempt limit locking me > out of my data.=20 On the GnuPG card you have an admin account with another PIN (in my case 8=20= digits) to unlock your locked SIM, with 3 attemps too. After this, the card=20= is to.throw away, if you fail. --=20 Sent from my Ubuntu phone http://www.unixarea.de/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?710e7cbb-9835-4e91-8cd0-2321cdf13cdf>