Questions on GELI encryption
Pete French
petefrench at ticketswitch.com
Wed May 27 12:27:17 UTC 2009
> 3) The handbook states the following: "It is not mandatory that both a
> passphrase and a key file are used; either method of securing the
> Master Key can be used in isolation.". Now, how to use just the
> keyfile is pretty obvious, according to the geli manpage "geom init
> -P" will not use the passphrase as the key component. However, if I
> want to just protect my data using the passphrase and not use the
> keyfile(s), how do I do this? What are the implications of using only
> the passphrase instead of using both a passphrase and a keyfile?
Just initialise is with only the passphrase, and it will ask for
it on boot.
One thing which always annoyed me was with multiple encrypted drives it would
ask me for the opassword multiple times on boot (I have a zpool over
the top of encrypted drives). I eventually solved this with a very small
encrypted partition (a couple of K) which is then used as the keyfile
for the other partitions. So it asks me once, decrypts the small
passpharse partition (which is full of random data) and then uses that
as the keyfile for the rest of the drives. Works quite nicely.
-pete.
More information about the freebsd-geom
mailing list