From owner-freebsd-geom@FreeBSD.ORG Thu Apr 12 16:24:32 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B759106566C for ; Thu, 12 Apr 2012 16:24:32 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id C71778FC12 for ; Thu, 12 Apr 2012 16:24:31 +0000 (UTC) Received: by vcmm1 with SMTP id m1so2062424vcm.13 for ; Thu, 12 Apr 2012 09:24:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=hbwX5P7mTfJ4moKvJbEmbieSwG1ITmDBT2CEGmzzrV0=; b=caoIYKTojb/zdanHsGukp1/J5ys+kdob07EslukesLU0FYRsAwqrgrL2qrkuna0btF NPjZdsnn7iEdimEUunwuCxTr1NbYREBQ3zdROqZ5obvZn78PeRmQhSJU3EkxRUKB2pqH rEnixU3lNV2v4Ce3UsVkvrwRTn8IsE3l/6N5+67+Zau/rvoHz/8fFNUZrukoMx16V9M7 vOfThHhHzvvWOt0TYqaOV44rRpfEeFd5s5czZ8z0D5vcxG+ZCLRo7zPHfUjHdSUBbvT0 aRR6ePSw6XgQWplepTektdFZhWqZSXV+wq9xVd5hJGC76+9r44zcWD5UCR8UV57eK5aN AGlA== MIME-Version: 1.0 Received: by 10.220.147.198 with SMTP id m6mr1575719vcv.49.1334247865483; Thu, 12 Apr 2012 09:24:25 -0700 (PDT) Received: by 10.52.66.239 with HTTP; Thu, 12 Apr 2012 09:24:25 -0700 (PDT) In-Reply-To: <4f864bb4.Q7/highsGaOoTKF6%perryh@pluto.rain.com> References: <20120411093458.GC1319@garage.freebsd.pl> <4f864bb4.Q7/highsGaOoTKF6%perryh@pluto.rain.com> Date: Thu, 12 Apr 2012 12:24:25 -0400 Message-ID: From: Robert Simmons To: freebsd-geom@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Automatic Geli? X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 16:24:32 -0000 On Wed, Apr 11, 2012 at 11:27 PM, wrote: > Pawel Jakub Dawidek wrote: > >> If they distribute encrypted image that actually works, it means >> they distribute the key along with the image. As was already noted >> this serves no purpose, as you can extract the key from the image >> and decrypt the whole thing on your own. > > s/serves no purpose/provides no real security/ > > It will stop those who can't figure out _how_ to extract the key > from the image, and it will deter those whose interest in bypassing > the encryption is not strong enough to justify the effort. =A0Making > offline access non-trivial might also have legal implications in > some jurisdictions, since having gone to the trouble of extracting > the key would impair the credibility of a subsequent assertion that > any improprieties had been inadvertent. It will stop those who can figure out how???? It's a file in the unencrypted portion of the image. "extracting" would entail "geli attach -j /pathto/foo.pass -k /pathto/foo.key /dev/foo0" There is no effort involved. And they are not "bypassing the encryption" or "making offline access non-trivial". They are "doing it wrong". I'm not sure that anything you said makes sense.