GnuPG smart card && geli

Matthias Apitz guru at
Fri May 19 15:25:57 UTC 2017

El día viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via freebsd-questions escribió:

> On Fri, 19 May 2017 10:19:06 -0400
> mfv via freebsd-questions wrote:
> > >This would lead to a system (netbook) which never can be booted or
> > >otherwise data read from and you can only boot it with the USB boot
> > >key, the USB GnuPG-card and the PIN (normally 6 digits).
> 6 digits doesn't sound very secure.

You can use as may digits you want (and can remember). Already 6 is
*very* secure because you have only 3 time to guess the right one, i.e.
no brute force.

> > >Any comments on this?
> > >
> > >	matthias
> > >  
> > 
> > Hello Matthias,
> > 
> > I agree with your idea.  Some time ago I did some research to find out
> > a method to read the password from a USB memory stick but was not
> > successful.  I was not concerned with disk encryption, just wanted a
> > very long password, automatic login and no system access without a
> > hardware key.  
> A geli device can be set-up to use a passphrase and/or a passfile. You
> could just put the passfile on a memory stick and not use
> a passphrase at all.

*This* is very insecure when the key gets stolen or copied (i.e. you may
even not know that someone all the time can enter in your system). When
the GnuPG stick gets stolen, it is useless for attackers due to missing

> FWIW I use a passfile to attach geli encrypted partitions, but the
> passfile is stored in a small geli encrypted file-backed md device
> that's passphrase protected. I did this just to avoid having to type any
> more than I need to, but that backing file could just as easily be on a
> memory stick.  

Yes, and can be opened with brute force attacks, depending on the key
length and the computing power.


Matthias Apitz, ✉ guru at, ⌂  ☎ +49-176-38902045
Public GnuPG key:
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

More information about the freebsd-questions mailing list