-p with GELI
Christian Baer
christian.baer at informatik.uni-dortmund.de
Wed Feb 8 16:41:07 PST 2006
On Wed, 8 Feb 2006 23:46:45 +0100 Pawel Jakub Dawidek wrote:
> No, but you may pass 'keyfile' through standard input, so it can be
> anything.
> You must know, that for keyfiles PKCS#5v2 won't be used nor additional
> salt.
So that means, if I init a provider without a keyfile but with a long
passphrase, I get the benifit of PKCS#5v2 and additional salt? That is
the way I initialized all my providers so far. Could I now use -k to
attach the providers as shown in the script?
> This is not to prevent brute force attack, it's just better no to use
> the same key. Actually here it is not so important as it is only used
> for Master-Key encryption which is random.
But as you wrote, part of the key is random and part is derived from the
passphrase. So each key *would* be different.
> Anyway, in my opnion this is the list from the safest to the most unsafe
> configuration list:
> 1. Different passphrase for every provider.
> 2. Different key for every provider derived from the same passphrase.
> 3. One passphrase for every provider.
Where is the difference between 2 and 3? Is 3 "1 passphrase and 1 key
for every provider"? Could that even be achieved?
Regards
Chris
More information about the freebsd-geom
mailing list