Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 19 Oct 2015 23:48:55 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-current@freebsd.org
Subject:   Re: Depreciate and remove gbde
Message-ID:  <20151019234855.4ed82051@gumby.homeunix.com>
In-Reply-To: <20151019061930.461285f8@freyja.zeit4.iv.bundesimmobilien.de>
References:  <56237623.5010702@fizk.net> <201510182329.t9INTarc018248@fire.js.berklix.net> <20151019061930.461285f8@freyja.zeit4.iv.bundesimmobilien.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 19 Oct 2015 06:19:30 +0200
O. Hartmann wrote:


> When I looked for FreeBSD's encryption, I stopped by GELI. Because of
> it's easy-to-use AND the 'experimental' tag in the handbook! 
> 
> For me, I'd like to know what is the benefit/performance of each
> technique and a clear preparation of each ones advantages over the
> other.

IIRC gbde allows the passphrase to be verified even after the
master-keys have been deleted. The point is to demonstrate that the
passphrase is not being withheld, and the data unrecoverable.

AFAIK that's the only advantage it has over geli. geli supports
hardware acceleration, it's faster in software too. It's more resistant
to dictionary/brute force attacks against the passphrase because of
its PKCS #5 support. It supports a wider range of options and
ciphers/modes. And though it's newer, it's undoubtedly had far more
user-hours of use. Also I don't remember the details, but I think
there's an operation that's atomic in geli, but not in gbde, that gives
gbde a greater risk of data corruption.

I certainly wouldn't like to see gbde removed but I think it is
unfortunate that it's given slightly greater prominence in the handbook
than geli. geli is the right choice for most people.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151019234855.4ed82051>