Questions on GELI encryption
RW
rwmaillists at googlemail.com
Wed May 27 16:56:26 UTC 2009
On Wed, 27 May 2009 18:57:11 +0300
Dan Naumov <dan.naumov at gmail.com> wrote:
> And some further questions:
>
> 1) Is there any basis for the claims that in the event of a failure
> (power outage, slowly dying drive, etc) that one is much more likely
> to lose ALL his data when using encryption vs not using any
> encryption? The argument is that when you have a non-encrypted drive
> or partition that is damaged, you have a lot of tools at your disposal
> to attempt to recover your data, but if your data is encrypted, even
> relatively low amount of damage in the "wrong" place on the
> drive/partition can cause it to become undecipherable and cause
> complete loss of data.
You can backup the metadata to a file, if you lock yourself out you can
use the install disk as a "live-cd"
>
> 2) Thanks to the help I have received so far, I now know how to use
> "passkey + keyfile", "keyfile" and "passkey" init and authentication
> methods for a encrypted GELI provider. The question I have is whether
> it is possible to have a "passkey OR keyfile" authentication method
> when using GELI. The idea is to normally use a strong passkey for
> attaching and using the providers, while keeping a keyfile stored
> "elsewhere" in a safe location out of premises. In the event of
> forgetting the passkey, the keyfile would be retrieved and used to
> access the data and change the forgotten passkey.
>
I've not used it myself, but take a look at the setkey option. You
could have key 0 as a passphrase and key 1 as a file. OTOH I don't see
the advantage of keeping the file in a safe place over keeping the
passphrase in a safe place.
More information about the freebsd-geom
mailing list