From owner-freebsd-current@freebsd.org Sat Oct 24 19:06:28 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82670A1D5B7 for ; Sat, 24 Oct 2015 19:06:28 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 44BE21C4B for ; Sat, 24 Oct 2015 19:06:27 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t9OJ6BJj092861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Oct 2015 12:06:11 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t9OJ6B5F092860; Sat, 24 Oct 2015 12:06:11 -0700 (PDT) (envelope-from jmg) Date: Sat, 24 Oct 2015 12:06:11 -0700 From: John-Mark Gurney To: "Julian H. Stacey" Cc: freebsd-current@freebsd.org, Martin Cracauer , Yonas Yanfa , Poul-Henning Kamp Subject: Re: Depreciate and remove gbde Message-ID: <20151024190611.GE65715@funkthat.com> References: <6216.1445631619@critter.freebsd.dk> <201510241559.t9OFwsiF078038@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201510241559.t9OFwsiF078038@fire.js.berklix.net> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Sat, 24 Oct 2015 12:06:12 -0700 (PDT) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2015 19:06:28 -0000 Julian H. Stacey wrote this message on Sat, Oct 24, 2015 at 17:58 +0200: > > >If you want a secure filesystem I think that at this particular time > > >it would be entirely reasonable to use both gbde and geli stacked on > > >top of each other[...] > > I've often wondered if multiple encryption (CPU permitting) is sensible in > case one day some method is cracked but another stays secure. Depends if you care about performance or not. gbde is very slow, maybe 150MB/sec/core on a decently fast processor... Where as geli is ~1GB/sec/core (AES-XTS)... > There's been recent discussions on cracking algorithms at > http://lists.gnupg.org/pipermail/gnupg-users/2015-October/054586.html > > I see man geli has: > Supports many cryptographic algorithms (currently AES-XTS, > AES-CBC, Blowfish-CBC, Camellia-CBC and 3DES-CBC). > NAME section of man 1 gbde & geli both ref. GEOM. > Skimming man 1 4 8 gbde geom I'm not sure how gbde compares. gbde uses AES128-CBC, which is bad for modern processors that have AES-NI instructions, as AES-CBC cannot be pipelined. > > Nobody is going to break through the GELI or GBDE crypto, they'll > > find their way to the keys instead, or more likely, jail you until > > you sing. > > Yes, if 'they' are physicaly present government, criminals etc. > > Encryption (& perhaps multiple encryption) is nice against eg The thing I like most about encryption is that when I RMA a bad drive, I don't have to worry about my data leaking if I am unable to overwrite all the data... Also, for SSD's, where a complete overwrite will not overwrite all the data, this helps that.. Note that even w/ drives purporting to provide hardware encryption they don't do it very well: http://arstechnica.com/security/2015/10/western-digital-self-encrypting-hard-drives-riddled-with-security-flaws/ -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."