From owner-freebsd-questions@FreeBSD.ORG Thu Oct 9 14:13:38 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CDCF98A9 for ; Thu, 9 Oct 2014 14:13:38 +0000 (UTC) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [108.61.84.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 891662E0 for ; Thu, 9 Oct 2014 14:13:38 +0000 (UTC) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.14.7/8.14.7) with ESMTP id s99EDUtZ005740 for ; Thu, 9 Oct 2014 10:13:31 -0400 (EDT) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.14.7/8.14.7/Submit) id s99EDUpC005739 for questions@freebsd.org; Thu, 9 Oct 2014 10:13:30 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 9 Oct 2014 10:13:30 -0400 From: "Michael W. Lucas" To: questions@freebsd.org Subject: GBDE protecting the user? Message-ID: <20141009141330.GA5655@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.michaelwlucas.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 14:13:38 -0000 Hi, Been playing with GBDE a while, trying to make it protect me. One of the features of GBDE is that it should "provide tangible feedback" that the data has been destroyed. (See PHK's paper at http://phk.freebsd.dk/pubs/bsdcon-03.gbde.paper.pdf, section 4.1.) The man page doesn't mention this, so what the heck, I decided to play with it. Creating GBDE devices is very simple. # gbde init /dev/gpt/encrypted -L /etc/encrypted.lock I created a filesystem, mounted it, put files on it, unmounted. There's two operations to wipe out a GBDE: nuke and destroy. Nuke looks like the right thing. I nuke all the keys: # gbde nuke gpt/encrypted -l /etc/encrypted.lock -n -1 Enter passphrase: Opened with key 0 Nuked key 0 Nuked key 1 Nuked key 2 Nuked key 3 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The .bde device isn't there, and my filesystem is gone. But I received no confirmation that the keys were destroyed. I also didn't get a message that the device couldn't be attached, although it clearly isn't. Fine. Let's try gbde destroy. gbde init /dev/gpt/encrypted -L /etc/encrypted.lock Enter new passphrase: Reenter new passphrase: # gbde destroy gpt/encrypted -l /etc/encrypted.lock Enter passphrase: Opened with key 0 # gbde attach gpt/encrypted -l /etc/encrypted.lock Enter passphrase: # The device isn't attached, it just fails silently. Did I misunderstand the GBDE functionality? Am I missing something daft? Has this code just decayed with GELI's arrival? Thanks, ==ml -- Michael W. Lucas - mwlucas@michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/