HAST + GELI?

Chad J. Milios milios at ccsys.com
Tue Dec 31 22:03:47 UTC 2013 

Either way works great. Both ways have their benefits, pains and pitfalls. It depends on your use case, configuration, hardware, adversaries, etc. Like most security solutions, the devil, and weaknesses, lay in the details, like network engineering and key management. Care to elaborate for us?

By the way, I'll just point out, always, and now more so than ever in light of NSA and TAO, that full disk encryption is not the magic bullet we'd hope. About all you should expect from GELI is that it makes hard drive _disposal_ safer and easier at a drives EOL, and even then not totally so. That being said, there is a worthwhile benefit _possible_ to achieve in the use case of a portable device and many a data breach would have been prevented by proper application of GELI in that circumstance.

"Highly available" servers have a lot less practical use for GELI especially if either is colocated. If both of your HAST nodes are in your own facilities and you have a tight and practiced mayday procedure, perhaps in addition to an automated system to trigger panic mode, it has some very good merit.

In other cases software based full disk encryption is really only going to thwart or inconvenience the weakest of adversaries, which of course may be all you need or the best you can hope for. I use GELI almost everywhere and I've deployed it both ways with HAST depending on the situation. Neither can be credited as the reason I get any sleep at night (simple exhaustion and unimportance in the cosmic scale are what do it for me) though they can certainly have their place in a well thought out security plan/procedure, if such a thing exists.

> On Dec 30, 2013, at 5:58 PM, Karl Pielorz <kpielorz_lst at tdx.co.uk> wrote:
> 
> 
> Hi All,
> 
> As I don't currently have the requisite two boxes to try this... Is it likely / possible you can use HAST with GELI? - i.e. to have a highly available, but encrypted-on-disk device?
> 
> If so are you better of creating GELI devices (i.e. .eli) and running HAST on those, or creating HAST devices - and running GELI on those?
> 
> Thanks,
> 
> -Karl
> _______________________________________________
> freebsd-geom at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-geom
> To unsubscribe, send any mail to "freebsd-geom-unsubscribe at freebsd.org"

More information about the freebsd-geom mailing list