Date: Mon, 11 Jun 2012 20:21:40 -0400 From: "John W. O'Brien" <john@saltant.com> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-geom@freebsd.org Subject: Re: Scope and purpose of each kind geli key Message-ID: <4FD68B94.4050200@saltant.com> In-Reply-To: <20120610081337.GL1379@garage.freebsd.pl> References: <4FD3B8D5.7030906@saltant.com> <20120610081337.GL1379@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/10/2012 04:13 AM, Pawel Jakub Dawidek wrote: > I think this is great you decided to document it and I'll do my > best to help. I'd also like to see such description to be available > easly and I'd be happy to add it to GELI manual page or create > dedicated manual page with detailed documentation how it works. Thank you! I'm excited to finally give a little something back to FreeBSD. My preference is to start by preparing changes to the existing geli(8) manpage and section 19.16.2 of the Handbook. These will be light-weight changes focused on clarifying at a conceptual level which keys exist, where, and how a user can interact with them. I like the idea of adding a dedicated manpage with much more detailed documentation, but I will defer that for now and hopefully return to it later. Eventually, I would love to make supporting diagrams. All in good time. >> Master Key - ---------- >> >> There is exactly one Master Key per provider, and it never >> changes for the life of the provider. It is generated in userland >> upon init (or onetime) and the user can select the key length >> (-l). > > The Master Key is always 1024 bits long (128 bytes). Ah, of course. Since no part of the Master Key is used as direct input to the selected block cipher, its length is independent of the key length specified by -l. > [...] The second part of the Master Key (next 64 bytes) is used > directly or indirectly (depending on the configuration) for data > encryption and optionally for data authentication. It is called > Data Key. s/Storage Key/Data Key/g Got it. > [...] It would probably be worth noting that passphrase (either > entered by hand or provided with -j/-J options) is strengthened > with PKCS#2 PBKDF2 function based on SHA512 algorithm. ACK. Is the order significant in which multiple User Key components are given on the command line? > [..] This is very welcome. And more details are even more > welcome:) I appreciate your help. It may take me a while to get up to speed on the necessary markup languages, and to find my way around the documentation development workflow. I don't have a ton of time to devote, but I want to do a good job. Regards, John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP1ouRAAoJEEdKvTwaez9wqUMH/0I/P9sun1003x4oJCEbYfqn Vr1MYLhY2pesNNxNJmNlSoJ25DG6t9/ycsxbtXdX3eXCA3iFgqkrzJhKQyRMJsoT VQDFx6C6Hiidz/C99qIHWE9+/ZcivtQVthIN/+ztZRgFInARShRaoUYegABt1N0E MjfJAi2M0lNjKtKhUkUVj/y7vuuktvaki3D3qrb77+A7zELuC0CcDnr8VmnFZTuD /Y1T5wfvdibhwYjN9p3KH7LP44anqA89UX4LzvawckRT8HDcxeD2XWPZ4Q5isuFe kMGXUjyxd/1dfD5XQBD+O1nzeYXVUTZPoWyXJdj5qyZ74Cc3p+vQzzejoAsGhFc= =NACu -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD68B94.4050200>