GnuPG smart card && geli

RW rwmaillists at
Fri May 19 15:14:23 UTC 2017

On Fri, 19 May 2017 10:19:06 -0400
mfv via freebsd-questions wrote:

> >This would lead to a system (netbook) which never can be booted or
> >otherwise data read from and you can only boot it with the USB boot
> >key, the USB GnuPG-card and the PIN (normally 6 digits).

6 digits doesn't sound very secure.

> >Any comments on this?
> >
> >	matthias
> >  
> Hello Matthias,
> I agree with your idea.  Some time ago I did some research to find out
> a method to read the password from a USB memory stick but was not
> successful.  I was not concerned with disk encryption, just wanted a
> very long password, automatic login and no system access without a
> hardware key.  

A geli device can be set-up to use a passphrase and/or a passfile. You
could just put the passfile on a memory stick and not use
a passphrase at all.

FWIW I use a passfile to attach geli encrypted partitions, but the
passfile is stored in a small geli encrypted file-backed md device
that's passphrase protected. I did this just to avoid having to type any
more than I need to, but that backing file could just as easily be on a
memory stick.  

More information about the freebsd-questions mailing list