Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Jun 2006 15:20:49 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        freebsd-current@FreeBSD.org
Subject:   Data authentication for geli(8) committed to HEAD.
Message-ID:  <20060608132048.GD86198@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help 

--IMjqdzrDRly81ofr
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi.

geli(8) from FreeBSD-CURRENT is not able to perform data integrity
verification (data authentication) using one of the following
algorithms:

	- HMAC/MD5
	- HMAC/SHA1
	- HMAC/RIPEMD160
	- HMAC/SHA256
	- HMAC/SHA384
	- HMAC/SHA512

One of the main design goals was to make it reliable and resistant to
power failures or system crashes. This was very important to commit both
data update and HMAC update as an atomic operation to the disk, so users
don't have to fight with false positives.
Even with data authentication enabled, geli(8) should still be fast - to
provide the reliability I'm talking on internal journal or other complex
mechanisms are used. It is still sector-to-sector encryption.

If someone is interested in the data layout itself, it is described in
the sys/geom/eli/g_eli_integrity.c file.

Before you use this feature, please read "DATA AUTHENTICATION" section
in the geli(8) manual page, to learn against which kind of attacks
geli(8) can protect your data and against which it can not.

While working on this, I improved crypto(9) framework a bit and various
drivers. At this point, all crypto accelerators, which we support should
work with geli(8) (ubsec(4), hifn(4), safe(4), padlock(4)), also with
data authentication functionality.

Enjoy!

<commercial>
The work was sponsored by Wheel LTD. [http://www.wheel.pl],
creator of authentication system - CERB - which allows to use mobile
phone/device in two-factor authentication process.
</commercial>

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--IMjqdzrDRly81ofr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFEiCQwForvXbEpPzQRAitiAJ0XeEyyaHSoDMvgzgVRFQ+0xOwSAACgoRz/
oFh2yYG9R05eBwa/yNCFjFY=
=9x8V
-----END PGP SIGNATURE-----

--IMjqdzrDRly81ofr--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060608132048.GD86198>