Questions on GELI encryption

[Dan Naumov]

Hello (World) again :)

Sorry for creating another discussion thread so fast, but I figured
that since the new questions I have do not fall under the scope of
"CPU horsepower requirements for GELI", I thought they deserved a new
one:

1) I am reading the Handbook section on GELI (
http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html )
and I am a bit confused. The example

  a) creates a keyfile
  b) initializes a provider with the keyfile
  c) attaches the provider
  d) creates a new filesystem directly on the provider and
  e) mounts it

Now, I am probably missing something very obvious, but are "slices" no
longer a requirement for creating and using an UFS filesystem in
FreeBSD?

2) The example in the Handbook encrypts the entire drive. If my system
is going to use 1 big drive, I want /home and /data encrypted, while
the rest of the system can stay non-encrypted, how should I go about
doing this? Should I create a single big slice with 1 big root
partition and 2 separated partitions for /home and /data and the
initialise GELI on these specific partitions? Can basically anything
be used a a "provider" for GELI? A disk drive, a slice, a partition
inside a slice, a file?

3) The handbook states the following: "It is not mandatory that both a
passphrase and a key file are used; either method of securing the
Master Key can be used in isolation.". Now, how to use just the
keyfile is pretty obvious, according to the geli manpage "geom init
-P" will not use the passphrase as the key component. However, if I
want to just protect my data using the passphrase and not use the
keyfile(s), how do I do this? What are the implications of using only
the passphrase instead of using both a passphrase and a keyfile?


Thanks!

Dan Naumov