-p with GELI

Pawel Jakub Dawidek pjd at FreeBSD.org
Wed Feb 8 14:47:11 PST 2006 

On Wed, Feb 08, 2006 at 10:51:09PM +0100, Christian Baer wrote:
+> On Wed, 8 Feb 2006 21:18:53 +0100 Pawel Jakub Dawidek wrote:
+> > What you want to use is '-k' option.
+> > If you really know what you're doing you can do something like this:
+> 
+> Hmm, I thought the keyfile and the passphrase were treated differently.
+> Does that mean they are exchangeable, i.e. if I init the provider with a
+> passphrase I can attach it with a keyfile of the same content as the
+> passphrase?

No, but you may pass 'keyfile' through standard input, so it can be
anything.
You must know, that for keyfiles PKCS#5v2 won't be used nor additional
salt.

+> > I suggest not to use the same passphrase for all providers.
+> > You can always do something like:
+> >
+> > pass_da0=3D`echo "0${passphrase}0" | sha256`
+> > pass_da1=3D`echo "1${passphrase}1" | sha256`
+> > pass_da2=3D`echo "2${passphrase}2" | sha256`
+> 
+> For that to be of any real good[1], the script would have to be on an
+> encrypted provider - preferably with a *completely* different passphrase
+> (and as a result a completely different key) itself. But if the attacker
+> can analyse this script, then a brute forcing the ${passphrase} will grant
+> access to all providers.
+> 
+> Or am I missing the point here completely?

This is not to prevent brute force attack, it's just better no to use
the same key. Actually here it is not so important as it is only used
for Master-Key encryption which is random.

Anyway, in my opnion this is the list from the safest to the most unsafe
configuration list:
1. Different passphrase for every provider.
2. Different key for every provider derived from the same passphrase.
3. One passphrase for every provider.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20060208/50b7626a/attachment.bin

More information about the freebsd-geom mailing list