Date: Fri, 16 Dec 2005 20:27:45 +0100 From: "OxY" <oxy@field.hu> To: "Pawel Jakub Dawidek" <pjd@FreeBSD.org>, "Robert Blacquiere" <freebsd-security@guldan.demon.nl> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: geli or gbde encryption of slices Message-ID: <005601c60276$caa18fa0$0201a8c0@oxy> References: <20051211123346.GK98018@bombur.guldan.demon.nl> <20051216191828.GA56737@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
i have a question about chosing geli or gbde.. which one is faster (read/write)? i use gbde, and it's quite slow.. may i create the .bde partition again with larger sector size? which size is optimal? thanks! On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote: +> Hello, +> +> I was playing around with geli an gbde after last EuroBSDCon. +> I liked the idea of encrypting my data which resides in /home/$user. +> Since this is a "single" user laptop i intended to encrypt the +> whole /home partition. Well no problems with that. But i wanted +> the lockfile or keyfile on a seperate usb disc. Which would be +> mounted or used during boot of the system. I also used gshsec on +> the usb disc to even make things more difficult. +> +> Well here is what i found. You can't use a none mounted disc for +> the keys, to take things further geli asks for the access passphrease +> before any filesystems except / is mounted. Gbde fails also because +> the system can't do interactivaly query for the passphrase. Unfortunately we needed to make a choice here: allow to encrypt /usr/, etc. or allow for getting keys from more sources. You can still do what you want, but not via rc.d/geli directly. Geli(8) itself allows to use key from the raw device or anything else, rc.d/geli is the thing which is not such flexible. You may want to try adding some code to /etc/rc.local (which will take part of the key from passphrase, part from USB Pen Drive and part for gshsec(8) device): (cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e fsck_ffs -p /dev/ad0s1e.eli mount /dev/ad0s1e.eli /mnt/secure Assuming that /mnt/pendrive is already mounted (it should be if placed in /etc/fstab). +> I wanted to use a 3 way authentication for the slice, encrypted fs, +> a usb key and passphrase. I can use geli without the usb key (keyfile). +> But that would render a possible bruteforce entry. Even when you use passphrase only, geli(8) provides PKCS#5v2 to strength it. I'm using it with 131072 iterations, so it is 2^17 times harder to brute-force my passphrase and takes about 2-3 seconds to attach encrypted device on my laptop. -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! ----- Original Message ----- From: "Pawel Jakub Dawidek" <pjd@FreeBSD.org> To: "Robert Blacquiere" <freebsd-security@guldan.demon.nl> Cc: "freebsd-security" <freebsd-security@freebsd.org> Sent: Friday, December 16, 2005 8:18 PM Subject: Re: geli or gbde encryption of slices
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005601c60276$caa18fa0$0201a8c0>