From owner-freebsd-current@freebsd.org Sat Oct 24 15:59:50 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2689CA1D463 for ; Sat, 24 Oct 2015 15:59:50 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AB3A21B3 for ; Sat, 24 Oct 2015 15:59:47 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p5B226D54.dip0.t-ipconnect.de [91.34.109.84]) (authenticated bits=128) by slim.berklix.org (8.14.5/8.14.5) with ESMTP id t9OG1IOu010661; Sat, 24 Oct 2015 18:01:18 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id t9OFxV5S083587; Sat, 24 Oct 2015 17:59:31 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id t9OFwsiF078038; Sat, 24 Oct 2015 17:59:06 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201510241559.t9OFwsiF078038@fire.js.berklix.net> cc: Martin Cracauer , Yonas Yanfa , "Poul-Henning Kamp" To: freebsd-current@freebsd.org Subject: Re: Depreciate and remove gbde From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Fri, 23 Oct 2015 20:20:19 -0000." <6216.1445631619@critter.freebsd.dk> Date: Sat, 24 Oct 2015 17:58:54 +0200 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2015 15:59:50 -0000 > >If you want a secure filesystem I think that at this particular time > >it would be entirely reasonable to use both gbde and geli stacked on > >top of each other[...] I've often wondered if multiple encryption (CPU permitting) is sensible in case one day some method is cracked but another stays secure. There's been recent discussions on cracking algorithms at http://lists.gnupg.org/pipermail/gnupg-users/2015-October/054586.html I see man geli has: Supports many cryptographic algorithms (currently AES-XTS, AES-CBC, Blowfish-CBC, Camellia-CBC and 3DES-CBC). NAME section of man 1 gbde & geli both ref. GEOM. Skimming man 1 4 8 gbde geom I'm not sure how gbde compares. > Nobody is going to break through the GELI or GBDE crypto, they'll > find their way to the keys instead, or more likely, jail you until > you sing. Yes, if 'they' are physicaly present government, criminals etc. Encryption (& perhaps multiple encryption) is nice against eg - sneak thieves/ industrial spies/ remote hostile governments, - where one must sometimes share root with others. - scanners remote or local (Scanners could be hidden in BLOBs. Anyone else worry how many binary BLOBs are in FreeBSD, especially ports/ ? I started a list a couple of years back, got scared how many, then stopped after I realised a list was not maintainable & better to add a BLOB_HAZARD= label to ports Makefiles, but no one seemed interested ). - Casual physical loss: - My brother's USB stick fell off its plastic retainer to key ring, picture: http://www.conrad.de/ce/de/product/417197/ - Small shiney USB sticks on desk could be attractive like jewelery to birds such as magpies (`Elster' fly here, I stopped one thieving a shiney foil wrapped bar, a lot heavier & bigger than a USB stick). My data is long encrypted, I'll buy phk@ a beer if we meet somewhere :-) Cheers, Julian -- Julian Stacey, BSD Linux Unix Sys. Eng. Consultant Munich http://berklix.com Reply After previous text to preserve context, as in a play script. Indent previous text with > Insert new lines before 80 chars. Use plain text, Not quoted-printable, Not HTML, Not base64, Not MS.doc.