From owner-freebsd-geom@FreeBSD.ORG  Thu Feb  9 00:41:07 2006
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
X-Original-To: freebsd-geom@freebsd.org
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0B32416A420
	for <freebsd-geom@freebsd.org>; Thu,  9 Feb 2006 00:41:07 +0000 (GMT)
	(envelope-from gcubfg-freebsd-geom@m.gmane.org)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B6E143D45
	for <freebsd-geom@freebsd.org>; Thu,  9 Feb 2006 00:41:03 +0000 (GMT)
	(envelope-from gcubfg-freebsd-geom@m.gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1F6zrn-0000Rd-Qr
	for freebsd-geom@freebsd.org; Thu, 09 Feb 2006 01:40:59 +0100
Received: from 87.193.38.20 ([87.193.38.20])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-geom@freebsd.org>; Thu, 09 Feb 2006 01:40:59 +0100
Received: from christian.baer by 87.193.38.20 with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-geom@freebsd.org>; Thu, 09 Feb 2006 01:40:59 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-geom@freebsd.org
From: Christian Baer <christian.baer@informatik.uni-dortmund.de>
Date: Thu, 9 Feb 2006 01:36:17 +0100 (CET)
Organization: Convenimus Projekt
Lines: 30
Message-ID: <dse2q1$i5h$1@nermal.rz1.convenimus.net>
References: <dsdidb$gf7$1@nermal.rz1.convenimus.net>
	<20060208201852.GA732@garage.freebsd.pl>
	<dsdp4d$gf7$2@nermal.rz1.convenimus.net>
	<20060208224645.GF732@garage.freebsd.pl>
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: 87.193.38.20
User-Agent: slrn/0.9.8.1 (FreeBSD)
Sender: news <news@sea.gmane.org>
Subject: Re: -p with GELI
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: GEOM-specific discussions and implementations
	<freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
	<mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2006 00:41:07 -0000

On Wed, 8 Feb 2006 23:46:45 +0100 Pawel Jakub Dawidek wrote:

> No, but you may pass 'keyfile' through standard input, so it can be
> anything.
> You must know, that for keyfiles PKCS#5v2 won't be used nor additional
> salt.

So that means, if I init a provider without a keyfile but with a long
passphrase, I get the benifit of PKCS#5v2 and additional salt? That is
the way I initialized all my providers so far. Could I now use -k to
attach the providers as shown in the script?

> This is not to prevent brute force attack, it's just better no to use
> the same key. Actually here it is not so important as it is only used
> for Master-Key encryption which is random.

But as you wrote, part of the key is random and part is derived from the
passphrase. So each key *would* be different.

> Anyway, in my opnion this is the list from the safest to the most unsafe
> configuration list:
> 1. Different passphrase for every provider.
> 2. Different key for every provider derived from the same passphrase.
> 3. One passphrase for every provider.

Where is the difference between 2 and 3? Is 3 "1 passphrase and 1 key
for every provider"? Could that even be achieved?

Regards
Chris