Date: Wed, 27 Jul 2022 01:25:39 +0000 From: bugzilla-noreply@freebsd.org To: doc@FreeBSD.org Subject: [Bug 265433] In geli section, add explanation to data integrity management Message-ID: <bug-265433-9-QI4OJxim33@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-265433-9@https.bugs.freebsd.org/bugzilla/> References: <bug-265433-9@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265433 --- Comment #2 from clear.screen@orange.fr --- As the GELI manual page [GELI(8)] say : the additional option -a "Enable da= ta integrity verification" [...] "If the option is not given, there will be no authentication, only encryption." The encryption/decryption process provide confidentiality (prevent non-authorized people to grant access to the data). Such algorithm with cryptographic mechanism ensure that encrypted data with genuine encryption/decryption key(s) will be decrypted but could not offer any guarantee against data corruption at storage layer or during computation. The whole data integrity process can rely (in sequence) on=20 - checking and correction mechanism of the hardware storage unit (in case o= f a silent hardware failure) - data integrity checking mechanism of the cryptographic layer (in case of failure in hardware or software implementation) - finally, on the data integrity checking and correction mechanism of the filesystem Any failure on this dependency chain will lead to data corruption which is = not related to an attacker but to hardware/software failure. In the case of the media itself does not report errors (damaged flash devic= es for example), altered encrypted blocks will lead to corrupted data output.= =20 Thus, retrieving data (if it's possible) will only rely on the filesystem capacities. Having data authentication enabled on the encryption/decryption layer would allow warning at early and low-level stage. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-265433-9-QI4OJxim33>