From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 13 12:29:36 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BE0F41C for ; Mon, 13 Oct 2014 12:29:36 +0000 (UTC) Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 226D1C27 for ; Mon, 13 Oct 2014 12:29:35 +0000 (UTC) Received: by mail-wi0-f182.google.com with SMTP id n3so7264362wiv.15 for ; Mon, 13 Oct 2014 05:29:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=EDIyS6BjoTJtGaCREdvkZmAxz/NK32k0IypVuOrdpoE=; b=pbYzKTZuPCx7ZWlg4EhoqMAD3AzciX0Tvd+WLnW35FS40AjcGi0K6mgjnZSOKdaau1 1YiJyNAs8pz7mt7Gm3pJQWtKp5pT52XzzK4OWAbHDkB/WZakqwQWVHrq5g7hYxQVUyjs Q70gBddX6pF3LtgPZe9cS7uxxLnCamIS2Zwvfq2hMhMI1Hivn9pjd10bOdEZ1ZTsTrYn GVSZc+PYAodZAtsfCG8wLVEveutc2Fpvo+yBJtBwoEafhY0FsPTNSsgxGY+fz4jDuX33 O7qxSQhjNZ+NyPHG+EPWd+Efn20YzJFXOhv3bO5QPq3Qhs+ln0XBrfYOsGTXmcBoJuRW wgug== X-Received: by 10.194.121.33 with SMTP id lh1mr3013376wjb.78.1413203373962; Mon, 13 Oct 2014 05:29:33 -0700 (PDT) Received: from gumby.homeunix.com (5ec1f671.skybroadband.com. [94.193.246.113]) by mx.google.com with ESMTPSA id cu9sm16520011wjc.3.2014.10.13.05.29.32 for (version=SSLv3 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 13 Oct 2014 05:29:33 -0700 (PDT) Date: Mon, 13 Oct 2014 13:29:26 +0100 From: RW To: freebsd-hackers@freebsd.org Subject: Re: GBDE not protecting the user Message-ID: <20141013132926.164cece9@gumby.homeunix.com> In-Reply-To: <20141011074412.GA9432@mail.michaelwlucas.com> References: <20141010215842.GA6717@mail.michaelwlucas.com> <20141011113008.705ba16d@X220.alogt.com> <20141011074412.GA9432@mail.michaelwlucas.com> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2014 12:29:36 -0000 On Sat, 11 Oct 2014 03:44:12 -0400 Michael W. Lucas wrote: > On Sat, Oct 11, 2014 at 11:30:08AM +0800, Erich Dollansky wrote: > > Hi, > > > > On Fri, 10 Oct 2014 17:58:42 -0400 > > "Michael W. Lucas" wrote: > > > > > [Tried questions@, no answer, and the code contains things I just > > > cannot trigger.] > > > > > just try geli. It works for me. What I like most is that you can > > have key and password on external media. No external media - no > > decyphering. > > GELI does not verify key destruction when the correct passphrase is > used. There are use cases where this is very important--e.g., finance. You can overwrite the geli metadata on the end of the provider with dd. Preferably the whole partition if you want to be sure because anyone that's ever had access to the disk could have copied the metadata. If you are going to use a passphrase I'd recommend geli which has password strengthening. > I'd really like to include GBDE in my FreeBSD storage book, but it > seems that it doesn't actually work. > > ==ml >