Date: Sun, 24 Oct 2010 18:04:32 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Victor Sudakov <sudakov@sibptus.tomsk.ru>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: geli keys Message-ID: <20101024160432.GB43549@slackbox.erewhon.net> In-Reply-To: <20101024101457.GA72426@admin.sibptus.tomsk.ru> References: <20101024101457.GA72426@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 24, 2010 at 05:14:57PM +0700, Victor Sudakov wrote: > Colleagues, >=20 > The geli(8) man page suggests initializing a geli provider with a > random keyfile (geli init -K). It also asks for a passphrase by default. >=20 > What happens if a provider is initialized without the -K option, just > with a passphrase?=20 The passphrase is not used as the key directly. It is used to derive the key with PKCS #5 [see http://www.faqs.org/rfcs/rfc2898.html].=20 > Will there be no encryption?=20 No, there will be encryption. > Encryption will be weaker? I don't think so. But in depends on a lot of things. If you use a keyfile, it needs to be on an unencrypted (or previously decrypted) partition, and it needs to be referenced in /etc/rc.conf if you want to be able to maount that partition at boot. So the keyfile might be random but it may not be secret (unless you put it on a USB thumbdrive and mount that before mounting the encrypted fs). Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAkzEWRAACgkQEnfvsMMhpyW5sgCZASoHtAXQkFwfKNpknXSvSfii NEYAoJAtDlJa6yrfUisT0RTKDBCwaEOi =Kefv -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101024160432.GB43549>