geli - why do I need a keyfile
RW
rwmaillists at googlemail.com
Sat Sep 15 19:18:23 UTC 2018
On Fri, 14 Sep 2018 17:55:58 -0700
Lee Brown wrote:
> I want to create a geli provider as authentication only, no password,
> no encryption. I do:
...
> Instead:
> # echo " " > /tmp/key
> solves that issue, but I still don't get why I even need a key file
> with -e NULL?
Because HMAC itself needs an encrypted secret key, otherwise anyone
could write to the device without it being detectable.
Without a securely entered passphase, or a passfile on removable media,
HMAC doesn't provide any authentication, it just detects bitrot and
naive attempts to modify the filesystem.
More information about the freebsd-geom
mailing list