From owner-freebsd-current@freebsd.org Mon Oct 19 22:49:01 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3B94A18347 for ; Mon, 19 Oct 2015 22:49:01 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CF91BE3 for ; Mon, 19 Oct 2015 22:49:01 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wikq8 with SMTP id q8so20376060wik.1 for ; Mon, 19 Oct 2015 15:48:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=WGXsbgqdwJVTIy8yJewqIUAztsGtgyo0nN9Wr/18wq0=; b=B8QbDF9nRVAWOneLrZu40wZm48XXDiAHuAVuyG0evSZTBiXCbmCxjffu0KkilsPgnD 8+VUs7IIoAAaBLDhi+sTV3hMw+CLRzk2PEda/SUGYyI3JdSRObnri78Vy6dtxqZVeF6Q 62DOnVAQPkN/STle69z8haSRtuaXzMkSuF+VTxCP5qSBYzeZjyBHVs01D1Bh2PRkmw/7 9aS1dvVWzJvClkXLgQHB5YnsRsn7rpcHeCwmkqlXYG/q9pOojmAxHUGjSw0zqWy1z5FZ XcPohBwYNJH+mbdF2L0VHR+OekR9DfvG7kpye5MkQ6wyRqMGeWttQ+ig1kM4VZOT2Ui/ xm5g== X-Received: by 10.194.83.103 with SMTP id p7mr41420576wjy.73.1445294938354; Mon, 19 Oct 2015 15:48:58 -0700 (PDT) Received: from gumby.homeunix.com ([90.195.214.153]) by smtp.gmail.com with ESMTPSA id w1sm42747729wjz.37.2015.10.19.15.48.57 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 15:48:57 -0700 (PDT) Date: Mon, 19 Oct 2015 23:48:55 +0100 From: RW To: freebsd-current@freebsd.org Subject: Re: Depreciate and remove gbde Message-ID: <20151019234855.4ed82051@gumby.homeunix.com> In-Reply-To: <20151019061930.461285f8@freyja.zeit4.iv.bundesimmobilien.de> References: <56237623.5010702@fizk.net> <201510182329.t9INTarc018248@fire.js.berklix.net> <20151019061930.461285f8@freyja.zeit4.iv.bundesimmobilien.de> X-Mailer: Claws Mail 3.12.0 (GTK+ 2.24.28; amd64-portbld-freebsd10.2) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2015 22:49:02 -0000 On Mon, 19 Oct 2015 06:19:30 +0200 O. Hartmann wrote: > When I looked for FreeBSD's encryption, I stopped by GELI. Because of > it's easy-to-use AND the 'experimental' tag in the handbook! > > For me, I'd like to know what is the benefit/performance of each > technique and a clear preparation of each ones advantages over the > other. IIRC gbde allows the passphrase to be verified even after the master-keys have been deleted. The point is to demonstrate that the passphrase is not being withheld, and the data unrecoverable. AFAIK that's the only advantage it has over geli. geli supports hardware acceleration, it's faster in software too. It's more resistant to dictionary/brute force attacks against the passphrase because of its PKCS #5 support. It supports a wider range of options and ciphers/modes. And though it's newer, it's undoubtedly had far more user-hours of use. Also I don't remember the details, but I think there's an operation that's atomic in geli, but not in gbde, that gives gbde a greater risk of data corruption. I certainly wouldn't like to see gbde removed but I think it is unfortunate that it's given slightly greater prominence in the handbook than geli. geli is the right choice for most people.