-p with GELI
Pawel Jakub Dawidek
pjd at FreeBSD.org
Thu Feb 9 23:04:39 PST 2006
On Thu, Feb 09, 2006 at 01:36:17AM +0100, Christian Baer wrote:
+> On Wed, 8 Feb 2006 23:46:45 +0100 Pawel Jakub Dawidek wrote:
+>
+> > No, but you may pass 'keyfile' through standard input, so it can be
+> > anything.
+> > You must know, that for keyfiles PKCS#5v2 won't be used nor additional
+> > salt.
+>
+> So that means, if I init a provider without a keyfile but with a long
+> passphrase, I get the benifit of PKCS#5v2 and additional salt? That is
+> the way I initialized all my providers so far. Could I now use -k to
+> attach the providers as shown in the script?
No. If it is already initialized you can't do it.
So still can change the key or just use expect.
+> > This is not to prevent brute force attack, it's just better no to use
+> > the same key. Actually here it is not so important as it is only used
+> > for Master-Key encryption which is random.
+>
+> But as you wrote, part of the key is random and part is derived from the
+> passphrase. So each key *would* be different.
+>
+> > Anyway, in my opnion this is the list from the safest to the most unsafe
+> > configuration list:
+> > 1. Different passphrase for every provider.
+> > 2. Different key for every provider derived from the same passphrase.
+> > 3. One passphrase for every provider.
+>
+> Where is the difference between 2 and 3?
When one of your keys leaked (eg. by ps(1) output or any other way), an
attacker can decrypt only one disk, not three.
+> [...] Is 3 "1 passphrase and 1 key
+> for every provider"? Could that even be achieved?
Maybe I wasn't clear there. 3rd point is what you proposed: One
passphrase (the same passphrase) for all providers.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20060210/29b44f26/attachment.bin
More information about the freebsd-geom
mailing list