Date: Thu, 9 Feb 2006 01:36:17 +0100 (CET) From: Christian Baer <christian.baer@informatik.uni-dortmund.de> To: freebsd-geom@freebsd.org Subject: Re: -p with GELI Message-ID: <dse2q1$i5h$1@nermal.rz1.convenimus.net> References: <dsdidb$gf7$1@nermal.rz1.convenimus.net> <20060208201852.GA732@garage.freebsd.pl> <dsdp4d$gf7$2@nermal.rz1.convenimus.net> <20060208224645.GF732@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Feb 2006 23:46:45 +0100 Pawel Jakub Dawidek wrote: > No, but you may pass 'keyfile' through standard input, so it can be > anything. > You must know, that for keyfiles PKCS#5v2 won't be used nor additional > salt. So that means, if I init a provider without a keyfile but with a long passphrase, I get the benifit of PKCS#5v2 and additional salt? That is the way I initialized all my providers so far. Could I now use -k to attach the providers as shown in the script? > This is not to prevent brute force attack, it's just better no to use > the same key. Actually here it is not so important as it is only used > for Master-Key encryption which is random. But as you wrote, part of the key is random and part is derived from the passphrase. So each key *would* be different. > Anyway, in my opnion this is the list from the safest to the most unsafe > configuration list: > 1. Different passphrase for every provider. > 2. Different key for every provider derived from the same passphrase. > 3. One passphrase for every provider. Where is the difference between 2 and 3? Is 3 "1 passphrase and 1 key for every provider"? Could that even be achieved? Regards Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dse2q1$i5h$1>