Changing geli-providers from passphrase to keyfile
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Mar 6 03:30:37 PST 2006
On Mon, Mar 06, 2006 at 11:58:46AM +0100, Christian Baer wrote:
+> geli supports changing passphrases. The question is, can I tell geli to
+> attach a provider created with a passphrase using a keyfile? If this
+> *is* possible, is it a good idea or rather not and, how is it done?
No, this is not possible and AFAIR we discussed it in the last already.
I'm not planning to add gbde(8)'s -p/-P options, because they only
create confusion - they were designed to be used for testing and now are
used in eg. /etc/rc.d/encswap.
If you want to use one passphrase and still want PKCS#5v2 protection for
it you're on your own. You may for example create one big file with
random data and encrypt it with geli(8):
# dd if=/dev/zero of=/etc/keys.bin bs=128k count=3
# mdconfig -a -f /etc/keys.bin
# geli init md0
Enter new passphrase:
Reenter new passphrase:
# geli attach md0
Enter passphrase:
# dd if=/dev/random of=/md0.eli bs=128k count=3
then use this random data to encrypt the real providers:
# dd if=/dev/md0.eli bs=128k count=1 | geli attach -k - prov1
# dd if=/dev/md0.eli bs=128k skip=1 count=1 | geli attach -k - prov2
# dd if=/dev/md0.eli bs=128k skip=2 count=1 | geli attach -k - prov2
# geli detach md0
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20060306/4690f32e/attachment.bin
More information about the freebsd-geom
mailing list