Date: Fri, 16 Dec 2005 20:18:28 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Robert Blacquiere <freebsd-security@guldan.demon.nl> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: geli or gbde encryption of slices Message-ID: <20051216191828.GA56737@garage.freebsd.pl> In-Reply-To: <20051211123346.GK98018@bombur.guldan.demon.nl> References: <20051211123346.GK98018@bombur.guldan.demon.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote: +> Hello, +> +> I was playing around with geli an gbde after last EuroBSDCon. +> I liked the idea of encrypting my data which resides in /home/$user. +> Since this is a "single" user laptop i intended to encrypt the +> whole /home partition. Well no problems with that. But i wanted +> the lockfile or keyfile on a seperate usb disc. Which would be +> mounted or used during boot of the system. I also used gshsec on +> the usb disc to even make things more difficult. +> +> Well here is what i found. You can't use a none mounted disc for +> the keys, to take things further geli asks for the access passphrease +> before any filesystems except / is mounted. Gbde fails also because +> the system can't do interactivaly query for the passphrase. Unfortunately we needed to make a choice here: allow to encrypt /usr/, etc. or allow for getting keys from more sources. You can still do what you want, but not via rc.d/geli directly. Geli(8) itself allows to use key from the raw device or anything else, rc.d/geli is the thing which is not such flexible. You may want to try adding some code to /etc/rc.local (which will take part of the key from passphrase, part from USB Pen Drive and part for gshsec(8) device): (cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e fsck_ffs -p /dev/ad0s1e.eli mount /dev/ad0s1e.eli /mnt/secure Assuming that /mnt/pendrive is already mounted (it should be if placed in /etc/fstab). +> I wanted to use a 3 way authentication for the slice, encrypted fs, +> a usb key and passphrase. I can use geli without the usb key (keyfile). +> But that would render a possible bruteforce entry. Even when you use passphrase only, geli(8) provides PKCS#5v2 to strength it. I'm using it with 131072 iterations, so it is 2^17 times harder to brute-force my passphrase and takes about 2-3 seconds to attach encrypted device on my laptop. -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDoxMEForvXbEpPzQRAkS8AJ9kLdnFesPmZoQDCpCbAkcVBkr0WgCfV5b5 UM3hSEIKge0RIQ4KAPzF5WU= =FcDF -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051216191828.GA56737>