geli or gbde encryption of slices

Pawel Jakub Dawidek pjd at FreeBSD.org
Fri Dec 16 11:19:36 PST 2005 

On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote:
+> Hello,
+> 
+> I was playing around with geli an gbde after last EuroBSDCon. 
+> I liked the idea of encrypting my data which resides in /home/$user.
+> Since this is a "single" user laptop i intended to encrypt the
+> whole /home partition. Well no problems with that. But i wanted
+> the lockfile or keyfile on a seperate usb disc. Which would be
+> mounted or used during boot of the system. I also used gshsec on
+> the usb disc to even make things more difficult. 
+> 
+> Well here is what i found. You can't use a none mounted disc for 
+> the keys, to take things further geli asks for the access passphrease
+> before any filesystems except / is mounted. Gbde fails also because
+> the system can't do interactivaly query for the passphrase. 

Unfortunately we needed to make a choice here: allow to encrypt /usr/,
etc. or allow for getting keys from more sources.

You can still do what you want, but not via rc.d/geli directly.

Geli(8) itself allows to use key from the raw device or anything else,
rc.d/geli is the thing which is not such flexible.
You may want to try adding some code to /etc/rc.local (which will take
part of the key from passphrase, part from USB Pen Drive and part for
gshsec(8) device):

	(cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | /sbin/geli attach -k /dev/stdin /dev/ad0s1e
	fsck_ffs -p /dev/ad0s1e.eli
	mount /dev/ad0s1e.eli /mnt/secure

Assuming that /mnt/pendrive is already mounted (it should be if placed
in /etc/fstab).

+> I wanted to use a 3 way authentication for the slice, encrypted fs, 
+> a usb key and passphrase. I can use geli without the usb key (keyfile).
+> But that would render a possible bruteforce entry. 

Even when you use passphrase only, geli(8) provides PKCS#5v2 to
strength it.
I'm using it with 131072 iterations, so it is 2^17 times harder to
brute-force my passphrase and takes about 2-3 seconds to attach
encrypted device on my laptop.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20051216/66ca542d/attachment.bin

More information about the freebsd-security mailing list