Questions on GELI encryption
Dan Naumov
dan.naumov at gmail.com
Wed May 27 11:45:49 UTC 2009
Hello (World) again :)
Sorry for creating another discussion thread so fast, but I figured
that since the new questions I have do not fall under the scope of
"CPU horsepower requirements for GELI", I thought they deserved a new
one:
1) I am reading the Handbook section on GELI (
http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html )
and I am a bit confused. The example
a) creates a keyfile
b) initializes a provider with the keyfile
c) attaches the provider
d) creates a new filesystem directly on the provider and
e) mounts it
Now, I am probably missing something very obvious, but are "slices" no
longer a requirement for creating and using an UFS filesystem in
FreeBSD?
2) The example in the Handbook encrypts the entire drive. If my system
is going to use 1 big drive, I want /home and /data encrypted, while
the rest of the system can stay non-encrypted, how should I go about
doing this? Should I create a single big slice with 1 big root
partition and 2 separated partitions for /home and /data and the
initialise GELI on these specific partitions? Can basically anything
be used a a "provider" for GELI? A disk drive, a slice, a partition
inside a slice, a file?
3) The handbook states the following: "It is not mandatory that both a
passphrase and a key file are used; either method of securing the
Master Key can be used in isolation.". Now, how to use just the
keyfile is pretty obvious, according to the geli manpage "geom init
-P" will not use the passphrase as the key component. However, if I
want to just protect my data using the passphrase and not use the
keyfile(s), how do I do this? What are the implications of using only
the passphrase instead of using both a passphrase and a keyfile?
Thanks!
Dan Naumov
More information about the freebsd-geom
mailing list