GELI: change keyfile to passphrase

Pawel Jakub Dawidek pjd at FreeBSD.org
Thu Jan 25 11:48:35 UTC 2007 

On Wed, Jan 24, 2007 at 12:44:35AM +0100, Thomas Nickl wrote:
> Hi,
> 
> I know a way to destroy your geli partition without knowing ;) :
> 
> dd if=/dev/random of=/tmp/keyfile count=1 bs=128
> geli init -s 4096 -b -P -K /tmp/keyfile /dev/md9
> geli attach -p -k /tmp/keyfile /dev/md9
> geli setkey -n 0 /dev/md9
> > <new password entered twice>
> geli detach /dev/md9
> geli attach /dev/md9
> > Missing -p flag.
> geli attach -p /dev/md9
> > No key components given.
> geli attach -p -k /tmp/keyfile /dev/md9
> > Wrong key for md9.
> 
> Replacing the setkey line with
> geli setkey -n 0 -p -k /tmp/keyfile /dev/md9
> doesen't help.
> 
> HOWEVER,
> geli detach /dev/md9
> and then
> geli setkey -n 0 -p -k /tmp/keyfile /dev/md9
> works as designed ("geli attach /dev/md9" now asks for a passphrase)
> 
> So I can recommend: never set a key with an attached media.
> 
> I have "FreeBSD washu 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006   root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386".

This was a bug, which is fixed in the following revisions:

src/sbin/geom/class/eli/geom_eli.c 1.19
src/sbin/geom/misc/subr.c 1.7
src/sbin/geom/misc/subr.h 1.8

The explanation from the commit log:

When the following conditions are meet:
- First configured key is based only on keyfile (no passphrase).
- Device is attached.
- User changes first key (setkey) from keyfile to passphrase and doesn't
  specify number of iterations (with -i option).
...geli(8) won't store calculated number of iterations in metadata.
This result in device beeing unaccesable after detach.

One can recover from this situation by guessing number of iterations
generated, storing it in metadata and trying to attach device.
Recovery procedure isn't nice, but one's data is not lost.

PS. Just to clarify. This bug doesn't affect geli(8) security in any way.
    It affects only data availability and it is possible to recover data.

Thank you for your report!

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20070125/c5a36f62/attachment.pgp

More information about the freebsd-geom mailing list