From owner-freebsd-geom@FreeBSD.ORG Tue Jun 12 00:21:47 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B56B1106566B; Tue, 12 Jun 2012 00:21:47 +0000 (UTC) (envelope-from john@saltant.com) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 88A548FC08; Tue, 12 Jun 2012 00:21:47 +0000 (UTC) Received: from homiemail-a95.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by hapkido.dreamhost.com (Postfix) with ESMTP id BC79BF9; Mon, 11 Jun 2012 17:24:30 -0700 (PDT) Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id 677231E05C; Mon, 11 Jun 2012 17:21:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=saltant.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=saltant.com; b=Rqs0UEPFS0c82DhRxNGa0m1duVDJ6tD2YHSjqdl5b42vYSTekrHZJlPImUl2B dv3LpQDUVVcW6XNpwvcL2E0D5GjOKFBsMs7Qpg5FkCZvqpdhd1/FB2+fVy+VBMgI ZCm37r49tv8VjAmrhT2qAuTiEUH4kT00ljAr/8Sp/HBQqU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=saltant.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=saltant.com; bh=iZJcu DAzyM3/Lhn5wCLnTs/jTic=; b=ST+VI1o+qJy++YjHThLRem8wZmZfGWR0xWCDL yjFAjMTgp9xblFw7TyMaXlKRh5/h9lnDt2+ZMko48zqU/f86XuidywADmRLg0TlW h79WGu1jDGb2Ci8pSI8+jzmkJlxvabX8cOQ0r8xLyny5/Vfq30cWy+Fg5k4VQZP7 vUDF3Q= Received: from imago.y.saltant.net (vice.saltant.net [96.227.187.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: john@saltant.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPSA id 2640F1E00D; Mon, 11 Jun 2012 17:21:41 -0700 (PDT) Message-ID: <4FD68B94.4050200@saltant.com> Date: Mon, 11 Jun 2012 20:21:40 -0400 From: "John W. O'Brien" Organization: Saltant Solutions User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <4FD3B8D5.7030906@saltant.com> <20120610081337.GL1379@garage.freebsd.pl> In-Reply-To: <20120610081337.GL1379@garage.freebsd.pl> X-Enigmail-Version: 1.5pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-geom@freebsd.org Subject: Re: Scope and purpose of each kind geli key X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2012 00:21:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/10/2012 04:13 AM, Pawel Jakub Dawidek wrote: > I think this is great you decided to document it and I'll do my > best to help. I'd also like to see such description to be available > easly and I'd be happy to add it to GELI manual page or create > dedicated manual page with detailed documentation how it works. Thank you! I'm excited to finally give a little something back to FreeBSD. My preference is to start by preparing changes to the existing geli(8) manpage and section 19.16.2 of the Handbook. These will be light-weight changes focused on clarifying at a conceptual level which keys exist, where, and how a user can interact with them. I like the idea of adding a dedicated manpage with much more detailed documentation, but I will defer that for now and hopefully return to it later. Eventually, I would love to make supporting diagrams. All in good time. >> Master Key - ---------- >> >> There is exactly one Master Key per provider, and it never >> changes for the life of the provider. It is generated in userland >> upon init (or onetime) and the user can select the key length >> (-l). > > The Master Key is always 1024 bits long (128 bytes). Ah, of course. Since no part of the Master Key is used as direct input to the selected block cipher, its length is independent of the key length specified by -l. > [...] The second part of the Master Key (next 64 bytes) is used > directly or indirectly (depending on the configuration) for data > encryption and optionally for data authentication. It is called > Data Key. s/Storage Key/Data Key/g Got it. > [...] It would probably be worth noting that passphrase (either > entered by hand or provided with -j/-J options) is strengthened > with PKCS#2 PBKDF2 function based on SHA512 algorithm. ACK. Is the order significant in which multiple User Key components are given on the command line? > [..] This is very welcome. And more details are even more > welcome:) I appreciate your help. It may take me a while to get up to speed on the necessary markup languages, and to find my way around the documentation development workflow. I don't have a ton of time to devote, but I want to do a good job. Regards, John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP1ouRAAoJEEdKvTwaez9wqUMH/0I/P9sun1003x4oJCEbYfqn Vr1MYLhY2pesNNxNJmNlSoJ25DG6t9/ycsxbtXdX3eXCA3iFgqkrzJhKQyRMJsoT VQDFx6C6Hiidz/C99qIHWE9+/ZcivtQVthIN/+ztZRgFInARShRaoUYegABt1N0E MjfJAi2M0lNjKtKhUkUVj/y7vuuktvaki3D3qrb77+A7zELuC0CcDnr8VmnFZTuD /Y1T5wfvdibhwYjN9p3KH7LP44anqA89UX4LzvawckRT8HDcxeD2XWPZ4Q5isuFe kMGXUjyxd/1dfD5XQBD+O1nzeYXVUTZPoWyXJdj5qyZ74Cc3p+vQzzejoAsGhFc= =NACu -----END PGP SIGNATURE-----