geli USB key and a copy of this in file system

Matthias Apitz guru at
Thu Mar 23 12:11:43 UTC 2017


I have some secrets stored on an USB key which is crypted with geli(8)
that way:

making a geli-USB stick:

# geli init -s 2048 /dev/da0
Enter new passphrase: 
Reenter new passphrase: 

# geli attach /dev/da0
Enter passphrase: 

# dd if=/dev/random of=/dev/da0.eli bs=1m

# newfs /dev/da0.eli

the secret files itself within the /dev/da0.eli filesystem are ciphered
with GnuPG and the USB key is stored at home in a save place.

To carry a copy with me on my laptop, I have a copy of the USB key as a
file 'geli.dd' which can be used the same way, i.e.

MD=`mdconfig -a -t vnode -f geli.dd` || exit 1
echo attaching ${MD} and mounting /dev/${MD}.eli
echo ${MD} > /tmp/geli
geli attach ${MD} || {
    mdconfig -d -u ${MD}
    exit 1
mount /dev/${MD}.eli /priv
ls -l /priv

Ofc, this is only to have read access to the data (or store something
temporarily to copy it later to the primary place, the USB geli
partition ond the key).

My question is: Is there any concern about the security of the data
stored in 'geli.dd', for example in case of laptop teft or lost?



Matthias Apitz, ✉ guru at, ⌂  ☎ +49-176-38902045

More information about the freebsd-questions mailing list