Date: Wed, 27 May 2009 17:56:13 +0100 From: RW <rwmaillists@googlemail.com> To: freebsd-geom@freebsd.org Subject: Re: Questions on GELI encryption Message-ID: <20090527175613.1b92c217@gumby.homeunix.com> In-Reply-To: <cf9b1ee00905270857m6e7101f8wcaf5f62b75cfbfaa@mail.gmail.com> References: <cf9b1ee00905270445k179b9354sa44acee91507cfb8@mail.gmail.com> <E1M9IDy-000B1z-U0@dilbert.ticketswitch.com> <cf9b1ee00905270625g51c4803cj9b246097da0ad3a0@mail.gmail.com> <A30A1B3798866D4CAE189313FDD084081163A4@exchange.paymentallianceintl.com> <cf9b1ee00905270656s3970200ap7488ed686ed45f85@mail.gmail.com> <cf9b1ee00905270857m6e7101f8wcaf5f62b75cfbfaa@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 27 May 2009 18:57:11 +0300 Dan Naumov <dan.naumov@gmail.com> wrote: > And some further questions: > > 1) Is there any basis for the claims that in the event of a failure > (power outage, slowly dying drive, etc) that one is much more likely > to lose ALL his data when using encryption vs not using any > encryption? The argument is that when you have a non-encrypted drive > or partition that is damaged, you have a lot of tools at your disposal > to attempt to recover your data, but if your data is encrypted, even > relatively low amount of damage in the "wrong" place on the > drive/partition can cause it to become undecipherable and cause > complete loss of data. You can backup the metadata to a file, if you lock yourself out you can use the install disk as a "live-cd" > > 2) Thanks to the help I have received so far, I now know how to use > "passkey + keyfile", "keyfile" and "passkey" init and authentication > methods for a encrypted GELI provider. The question I have is whether > it is possible to have a "passkey OR keyfile" authentication method > when using GELI. The idea is to normally use a strong passkey for > attaching and using the providers, while keeping a keyfile stored > "elsewhere" in a safe location out of premises. In the event of > forgetting the passkey, the keyfile would be retrieved and used to > access the data and change the forgotten passkey. > I've not used it myself, but take a look at the setkey option. You could have key 0 as a passphrase and key 1 as a file. OTOH I don't see the advantage of keeping the file in a safe place over keeping the passphrase in a safe place.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090527175613.1b92c217>