Date: Mon, 25 Oct 2010 10:07:11 +0700 From: Victor Sudakov <sudakov@sibptus.tomsk.ru> To: freebsd-questions@freebsd.org Subject: Re: geli keys Message-ID: <20101025030711.GA84564@admin.sibptus.tomsk.ru> In-Reply-To: <20101024123238.34c4344a@gumby.homeunix.com> References: <20101024101457.GA72426@admin.sibptus.tomsk.ru> <20101024123238.34c4344a@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW wrote: > > > > The geli(8) man page suggests initializing a geli provider with a > > random keyfile (geli init -K). It also asks for a passphrase by > > default. > > > > What happens if a provider is initialized without the -K option, just > > with a passphrase? Will there be no encryption? Encryption will be > > weaker? > > You can use either or both, they get combined. I see. > It's hard to remember a passphrase that contains 256 bits of entropy, > OTOH a passfile might get stolen, so some people will want to use both. Why does the geli(8) man page always use a 64B long keyfile as an example? Why 64 bytes and not 128 or 1024 or whatever? What if I use a well randomized keyfile and a weak passphrase, will the master key be weaker? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101025030711.GA84564>