Date: Tue, 31 Dec 2013 17:03:33 -0500 From: "Chad J. Milios" <milios@ccsys.com> To: Karl Pielorz <kpielorz_lst@tdx.co.uk> Cc: "freebsd-geom@freebsd.org" <freebsd-geom@freebsd.org> Subject: Re: HAST + GELI? Message-ID: <49C17592-B51C-42E5-BF04-8BC4D97DA108@ccsys.com> In-Reply-To: <DEDAAAFBF4A1B918B9D76639@study64.tdx.co.uk> References: <DEDAAAFBF4A1B918B9D76639@study64.tdx.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Either way works great. Both ways have their benefits, pains and pitfalls. I= t depends on your use case, configuration, hardware, adversaries, etc. Like m= ost security solutions, the devil, and weaknesses, lay in the details, like n= etwork engineering and key management. Care to elaborate for us? By the way, I'll just point out, always, and now more so than ever in light o= f NSA and TAO, that full disk encryption is not the magic bullet we'd hope. A= bout all you should expect from GELI is that it makes hard drive _disposal_ s= afer and easier at a drives EOL, and even then not totally so. That being sa= id, there is a worthwhile benefit _possible_ to achieve in the use case of a= portable device and many a data breach would have been prevented by proper a= pplication of GELI in that circumstance. "Highly available" servers have a lot less practical use for GELI especially= if either is colocated. If both of your HAST nodes are in your own faciliti= es and you have a tight and practiced mayday procedure, perhaps in addition t= o an automated system to trigger panic mode, it has some very good merit. In other cases software based full disk encryption is really only going to t= hwart or inconvenience the weakest of adversaries, which of course may be al= l you need or the best you can hope for. I use GELI almost everywhere and I'= ve deployed it both ways with HAST depending on the situation. Neither can b= e credited as the reason I get any sleep at night (simple exhaustion and uni= mportance in the cosmic scale are what do it for me) though they can certain= ly have their place in a well thought out security plan/procedure, if such a= thing exists. > On Dec 30, 2013, at 5:58 PM, Karl Pielorz <kpielorz_lst@tdx.co.uk> wrote: >=20 >=20 > Hi All, >=20 > As I don't currently have the requisite two boxes to try this... Is it lik= ely / possible you can use HAST with GELI? - i.e. to have a highly available= , but encrypted-on-disk device? >=20 > If so are you better of creating GELI devices (i.e. .eli) and running HAST= on those, or creating HAST devices - and running GELI on those? >=20 > Thanks, >=20 > -Karl > _______________________________________________ > freebsd-geom@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-geom > To unsubscribe, send any mail to "freebsd-geom-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49C17592-B51C-42E5-BF04-8BC4D97DA108>