GELI versus GBDE?

Sam Baskinger sbaskinger at lumeta.com
Tue Apr 17 12:55:40 UTC 2007 

I've been working on a ruby script to manage some geli file systems and 
have had some good experience using "-k -" to make it read from standard 
in. It's mixed with popen calls instead of a more bash-y version, but it 
works. :)

I have not tried running it w/o a terminal allocated, but I suspect that 
won't make much of a difference.

(If the script wasn't in such sorry shape at the moment I would copy it 
along, but I don't think anyone wants to see it now. ;) )

Sam

Lumeta - Securing the Network in the Face of Change

www.lumeta.com


Nikolay Mirin wrote:
> Anyway, the other reasons that GBDE suck are:
> 
> 1) Lots of annoying ENOMEM messages, since the memory allocation calls 
> gbde makes are somewhat specific as I understand.
>    One can ignore those messages.
> 2) GELI provides a onetime key feature, which makes it incredibly 
> convenient for swap and /tmp encryption.
> 3) The secret key in GELI can be split between the keyfile and the 
> passphrase.
> 
> The only inconvenience I had with GELI is that if one wants to read a 
> passphrase in a script once and
> then open a bunch of volumes, than one has to use "expect" to feed the 
> passphrase to geli. It requires the terminal input and
> won't accept the stdin. GBDE does not have such issue.
> 
> P.S. One can actually have both in kernel.
> 
> Christian Brueffer said the following on 16.04.2007 11:21:
>> On Sun, Apr 15, 2007 at 08:56:07AM -0500, Nikolay Mirin wrote:
>>  
>>> Definitely GELI.
>>>
>>> GBDE will become obsolete very soon as some other things like vinum 
>>> and such. It was there just as a test of concept as I understand.
>>> Many those different disk subsystems are incompatible in fact, the 
>>> case of GBDE and Vinum is mentioned as an example in the handbook.
>>> Read more about GEOM, as this system will unite all possible disk 
>>> techniqies.
>>>
>>> Also, GELI takes advantage of crypto-hardware, but I believe that one 
>>> gets a benefit out of it only if the main CPU is very slow.
>>>
>>>     
>>
>> There are currently no plans to remove GBDE.  The problems with Vinum
>> you mention stemmed from the fact, that the original Vinum was not GEOM
>> aware, thus, GELI couldn't have been used with it as well.  gvinum has
>> been in existance for some time now and it's fully compatible to both
>> GBDE and GELI.
>>
>> - Christian
>>
>>   
> 
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>

More information about the freebsd-stable mailing list