A few things about GELI

Christian Brueffer chris at unixpages.org
Mon Jan 30 08:47:19 PST 2006 

On Mon, Jan 30, 2006 at 04:46:38PM +0100, Christian Baer wrote:
> Good afternoon[1], fellow readers! :-)
> 
> Because I wanted something new to play with and because I found the idea
> of encrypting swap and temp space, I decided to give GELI a try. The
> idea of using crypto(9) seems good too, because that way hardware
> support is added at no extra cost - I know, that was part of the reason,
> why GELI was written. :-)
> 
> Note:
> This thread is not really related to the one I started on the security
> mailing-list. Because of the existing crypto-hardware GELI won that
> race described there. This here is more of personal interest.
> 
> The question is more of an academic nature, but interesting just the
> same: Can it be said that GELI is more secure (by design) than GBDE or
> vice versa? The differences are not only of cosmetic nature or in the
> user interface, but there is a real difference within the concept. Can
> one of these approaches be called more secure than the other[2]?
> 

There was a huge thread about this very topic on one of the NetBSD lists
and freebsd-hackers@ between phk and the guy that implemented cgd for
NetBSD (very similar in concept to geli).  So, if you're interested in
the gory details, I suggest you look that thread up.

To cut it short: opinions differ greatly.

> 
> Are there plans for a geli(4) manpage inspired by gbde(4) manpage? It
> just shows the non-expert wonderfully, how it works and how safe it is
> (in numbers).
> 

That would be very useful indeed.

> Now for some *real* questions... :-)
> 
> GBDE wants to be attached to a partition like adxs1d. The examples in
> the handbook however suggest that GELI should be attached to the
> hardware-device adx and not to a partition. Why is this so? I am
> guessing that GELI would be just as happy to be attached to ad1s1d as to
> ad1 (wouldn't this be mandatory if there were more than one partition on
> the drive?), but does this have any (dis-) advantages?
> 

You can encrypt arbitrary providers with geli (same as with gbde).  E.g.
on my notebook I have encrypted ad0s1f with geli and have it attach at
boot with the corresponding rc.conf variables.

> If I were to use encrypted swap space I couldn't use the fstab for these
> anymore. Should I do this with a start-up script and if so, where should
> I put it? 'Where' as in 'where should it be in the boot-order?'
> 

To have your partitions encrypted, you just have to add .eli (for geli)
or .bde (for gbde) to your device name in /etc/fstab, e.g. /dev/ad0s1b.eli
on my notebook.  The /etc/rc.d/encswap script does the rest automagically.
That means you don't have to worry about the boot-order.

(The above is true for 7-CURRENT and 6-STABLE, I'm not sure whether encswap
was part of 6.0-RELEASE.  For older versions, there were special gbde options
for rc.conf).

> Basicly the same thing goes for temp-space. When should it be mounted.
> And more importantly, if I use a new key every time, wouldn't I need a
> newfs during every boot - before I mount /tmp?
> 

You could use a tmpmfs (see corresponding rc.conf variables).  Adding
it to the geli_devices variable probably just works(tm), but it depends
on the order of the rc scripts.

- Christian

-- 
Christian Brueffer	chris at unixpages.org	brueffer at FreeBSD.org
GPG Key:	 http://people.freebsd.org/~brueffer/brueffer.key.asc
GPG Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C A0ED 982D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20060130/db3afa59/attachment.bin

More information about the freebsd-geom mailing list