GBDE and GELI security

RW fbsd06 at
Tue Dec 4 21:47:00 PST 2007

On Tue, 4 Dec 2007 17:04:23 -0700
Chad Perrin <perrin at> wrote:

> I've read reports to the effect that GBDE is vulnerable to online
> dictionary attacks unless two-factor authentication is used.  The only
> such report I can find now is this discussion of NetBSD's CGD, where
> its author contrasts it with GBDE:
> Is this still the case?  Are there any other security concerns
> related to GBDE's implementation that you might mention?  How well
> does GELI stack up against GBDE?

I think it's this:

I don't know much about the internals of GBDE, but if we take his
description of it at face value, it seems to be fair criticism.

I think it's actually saying that GBDE assumes the user will provide
enough user-key entropy, and doesn't do anything to mitigate the use
of weaker passphrases.

Geli uses salt and PKCS #5 so it's pretty much blameless in this area.

More information about the freebsd-questions mailing list