A few things about GELI

Pawel Jakub Dawidek pjd at FreeBSD.org
Mon Jan 30 12:13:06 PST 2006 

On Mon, Jan 30, 2006 at 04:46:38PM +0100, Christian Baer wrote:
+> The question is more of an academic nature, but interesting just the
+> same: Can it be said that GELI is more secure (by design) than GBDE or
+> vice versa? The differences are not only of cosmetic nature or in the
+> user interface, but there is a real difference within the concept. Can
+> one of these approaches be called more secure than the other[2]?

I'm not going to answer this. In my opinion both are secure enough for
most uses (ie. for data privacy).

+> Are there any plans to add additional ciphers like Twofish or Serpant to
+> GELI?

If those will be added to crypto(9) it will be trivial to add them to
geli(8).

+> What does this "sector-to-sector encryption" mean and how is it
+> different from GBDE's approach?

In GBDE there is one sector with keys per 32 sectors with data.
In GELI there is one main key and each data sector is represented by
exactly one sector in *.eli provider.

+> Are there plans for a geli(4) manpage inspired by gbde(4) manpage? It
+> just shows the non-expert wonderfully, how it works and how safe it is
+> (in numbers).

Yes, there are plans...

+> GBDE wants to be attached to a partition like adxs1d. The examples in
+> the handbook however suggest that GELI should be attached to the
+> hardware-device adx and not to a partition. Why is this so? I am
+> guessing that GELI would be just as happy to be attached to ad1s1d as to
+> ad1 (wouldn't this be mandatory if there were more than one partition on
+> the drive?), but does this have any (dis-) advantages?

Both gbde(8) and geli(8) can work just fine with any GEOM providers
(disks, partitions, slices, mirrors, stripes, etc.).

+> If I were to use encrypted swap space I couldn't use the fstab for these
+> anymore. Should I do this with a start-up script and if so, where should
+> I put it? 'Where' as in 'where should it be in the boot-order?'

For swap devices you simply can put /dev/adXs1.eli to /etc/fstab and
/etc/rc.d/encswap script will detect .eli suffix and configure it with
one-time key.

+> Basicly the same thing goes for temp-space. When should it be mounted.
+> And more importantly, if I use a new key every time, wouldn't I need a
+> newfs during every boot - before I mount /tmp?

There is no rc.d script for this yet. So now you need to put something
like this into /etc/rc.early:

prov=`mdconfig -a -t swap -s 64m`
geli onetime /dev/${prov}
newfs /dev/${prov}

+> [2] I don't see either of them being cracked any time soon and if either
+>     were attacked it would probably be easier to brute force the
+>     passphrase than to attack the architecture itself.

In geli(8) password is protected with PKCS#5v2. On my laptop my
passphrase is protected with 131072 interactions, which bascially means
it is 2^17 times harder to break.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20060130/904a9d85/attachment.bin

More information about the freebsd-geom mailing list