geli keys

Victor Sudakov sudakov at sibptus.tomsk.ru
Mon Oct 25 03:07:15 UTC 2010


RW wrote:
> > 
> > The geli(8) man page suggests initializing a geli provider with a
> > random keyfile (geli init -K). It also asks for a passphrase by
> > default.
> > 
> > What happens if a provider is initialized without the -K option, just
> > with a passphrase? Will there be no encryption? Encryption will be
> > weaker?
> 
> You can use either or both, they get combined. 

I see.

> It's hard to remember a passphrase that contains 256 bits of entropy,
> OTOH a passfile might get stolen, so some people will want to use both.

Why does the geli(8) man page always use a 64B long keyfile as an example?
Why 64 bytes and not 128 or 1024 or whatever?

What if I use a well randomized keyfile and a weak passphrase, will the
master key be weaker?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the freebsd-questions mailing list