From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 14:59:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B462D16A4DF for ; Thu, 7 Sep 2006 14:59:28 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from hu-out-0102.google.com (hu-out-0506.google.com [72.14.214.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 589A743D6D for ; Thu, 7 Sep 2006 14:59:19 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: by hu-out-0102.google.com with SMTP id 31so187940huc for ; Thu, 07 Sep 2006 07:59:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L/DfnA7rk3/Vq5tBNlDHCURSRiqoAp8iCGYRc4TciVWazv8nZCrwzw2671VeoJ08IiNWqoJ0boTx9s+2Kn0OC/pZ2jLvlHbuMmiHL97Fsb29crDsPyUC/dtyu/LN5Y1T5nteGwbdINRE2Zw+nsLdUhGELnlf6EFiRsmaWjwFZ4Q= Received: by 10.49.94.20 with SMTP id w20mr2659669nfl; Thu, 07 Sep 2006 07:59:17 -0700 (PDT) Received: by 10.48.230.11 with HTTP; Thu, 7 Sep 2006 07:59:17 -0700 (PDT) Message-ID: <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> Date: Thu, 7 Sep 2006 10:59:17 -0400 From: "Bob Johnson" To: "Barkley Vowk" In-Reply-To: <20060906151041.N37483@3jane.math.ualberta.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> Cc: freebsd-security@freebsd.org, Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 14:59:28 -0000 On 9/6/06, Barkley Vowk wrote: > You are a complete madman. You want to protect your data with a key stored > on the most completely and utterly unreliable form of data storage still > lamentably in use? Its not the 1970's anymore, get a real data storage > medium! > > Get a usb flash drive, from there its a simple matter of changing the geli > script to mount a specific usb device before starting. Look in > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the > kldstat and the "if [ -z" in the geli_start() sub. I have floppies from the 1980s that are still readable, but I have never had a USB flash drive last more than six months when actually in use. For important data, I trust a floppy far more than I trust a flash drive. The big problem with floppies is they don't hold enough data. For that matter, writeable CDs and DVDs have proven to be much less reliable than floppies, too. - Bob