Pipes password from kdialog to geli attach
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Sep 24 02:20:39 PDT 2007
On Sun, Sep 23, 2007 at 08:03:42PM +0200, Christian Baer wrote:
> On Sun, 23 Sep 2007 17:25:08 +0200 Pawel Jakub Dawidek wrote:
> > BTW. sha256 is not needed.
> Could be a good idea though when mounting several providers with one
> keyfile/passphrase combination - if they are "salted".
GELI already provides additional salt and pass passphrase/keyfiles
through HMAC function.
> > Also, as it was mentioned, keyfiles are not preprocessed by PKCS#5v2,
> This however only provides additional protection when analising the disc
> and a part of the passphrase is known. A brute force attack against the
> passphrase will work just as well, no matter if it is salted or not.
It's not about salt. The idea is to call HMAC some number of times on
the passphrase and use the result. I use 131072 iterations with my
passphrase, this means that to brute-force my passphrase an attacker
needs 2^17 more steps to do for each password he wants to try.
It takes about 2 seconds to calculate the key out of my passphrase
because of those 2^17 steps.
He can of course brute-force the result, but it's more or less totally
random and for HMAC/SHA256 he has 2^256 steps to do.
> > but this is a good example why it's worth adding such functionality.
> Good idea! I've been pondering the idea of writing a front-end for geli
> for some time but the fact of this missing feature stopped me because
> anyone using this frontend would lose functionality.
> If you make it possible to pass the passphrase on to geli from the command
> line or via a pipe or something, then I'll sit down and write the
> front-end for it. Provided, you don't expect me to do that in C. :-)
> Python would probably be my choice here.
We are planning to create graphic front-end to the GEOM in my company in
python, but feel free to do a geli front-end as well:)
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20070924/175949ba/attachment.pgp
More information about the freebsd-geom