geli keys
Roland Smith
rsmith at xs4all.nl
Sun Oct 24 16:04:35 UTC 2010
On Sun, Oct 24, 2010 at 05:14:57PM +0700, Victor Sudakov wrote:
> Colleagues,
>
> The geli(8) man page suggests initializing a geli provider with a
> random keyfile (geli init -K). It also asks for a passphrase by default.
>
> What happens if a provider is initialized without the -K option, just
> with a passphrase?
The passphrase is not used as the key directly. It is used to derive the key
with PKCS #5 [see http://www.faqs.org/rfcs/rfc2898.html].
> Will there be no encryption?
No, there will be encryption.
> Encryption will be weaker?
I don't think so. But in depends on a lot of things.
If you use a keyfile, it needs to be on an unencrypted (or previously
decrypted) partition, and it needs to be referenced in /etc/rc.conf if you
want to be able to maount that partition at boot. So the keyfile might be
random but it may not be secret (unless you put it on a USB thumbdrive and
mount that before mounting the encrypted fs).
Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20101024/044671a2/attachment.pgp
More information about the freebsd-questions
mailing list