From owner-freebsd-questions@freebsd.org Thu Mar 23 12:11:42 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB2DDD186FF for ; Thu, 23 Mar 2017 12:11:42 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9FB3A1B1C for ; Thu, 23 Mar 2017 12:11:42 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [2.247.252.9] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1cr1aX-0005f5-8z for freebsd-questions@freebsd.org; Thu, 23 Mar 2017 13:11:33 +0100 Received: from localhost.my.domain (c720-r314251 [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v2NCBUeU003842 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 23 Mar 2017 13:11:30 +0100 (CET) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v2NCBONa003841 for freebsd-questions@freebsd.org; Thu, 23 Mar 2017 13:11:24 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Thu, 23 Mar 2017 13:11:24 +0100 From: Matthias Apitz To: freebsd-questions@freebsd.org Subject: geli USB key and a copy of this in file system Message-ID: <20170323121124.GA3771@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 2.247.252.9 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 12:11:43 -0000 Hello, I have some secrets stored on an USB key which is crypted with geli(8) that way: making a geli-USB stick: # geli init -s 2048 /dev/da0 Enter new passphrase: Reenter new passphrase: # geli attach /dev/da0 Enter passphrase: # dd if=/dev/random of=/dev/da0.eli bs=1m # newfs /dev/da0.eli ... the secret files itself within the /dev/da0.eli filesystem are ciphered with GnuPG and the USB key is stored at home in a save place. To carry a copy with me on my laptop, I have a copy of the USB key as a file 'geli.dd' which can be used the same way, i.e. MD=`mdconfig -a -t vnode -f geli.dd` || exit 1 echo attaching ${MD} and mounting /dev/${MD}.eli echo ${MD} > /tmp/geli geli attach ${MD} || { mdconfig -d -u ${MD} exit 1 } mount /dev/${MD}.eli /priv ls -l /priv ... Ofc, this is only to have read access to the data (or store something temporarily to copy it later to the primary place, the USB geli partition ond the key). My question is: Is there any concern about the security of the data stored in 'geli.dd', for example in case of laptop teft or lost? Thanks matthias -- Matthias Apitz, ✉ guru@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045