Date: Wed, 27 May 2009 13:27:14 +0100 From: Pete French <petefrench@ticketswitch.com> To: dan.naumov@gmail.com, freebsd-geom@freebsd.org Subject: Re: Questions on GELI encryption Message-ID: <E1M9IDy-000B1z-U0@dilbert.ticketswitch.com> In-Reply-To: <cf9b1ee00905270445k179b9354sa44acee91507cfb8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> 3) The handbook states the following: "It is not mandatory that both a > passphrase and a key file are used; either method of securing the > Master Key can be used in isolation.". Now, how to use just the > keyfile is pretty obvious, according to the geli manpage "geom init > -P" will not use the passphrase as the key component. However, if I > want to just protect my data using the passphrase and not use the > keyfile(s), how do I do this? What are the implications of using only > the passphrase instead of using both a passphrase and a keyfile? Just initialise is with only the passphrase, and it will ask for it on boot. One thing which always annoyed me was with multiple encrypted drives it would ask me for the opassword multiple times on boot (I have a zpool over the top of encrypted drives). I eventually solved this with a very small encrypted partition (a couple of K) which is then used as the keyfile for the other partitions. So it asks me once, decrypts the small passpharse partition (which is full of random data) and then uses that as the keyfile for the rest of the drives. Works quite nicely. -pete.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1M9IDy-000B1z-U0>