GnuPG smart card && geli

RW rwmaillists at
Fri May 19 16:47:41 UTC 2017

On Fri, 19 May 2017 17:25:46 +0200
Matthias Apitz wrote:

> El día viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via
> freebsd-questions escribió:
> > On Fri, 19 May 2017 10:19:06 -0400
> > mfv via freebsd-questions wrote:

> > A geli device can be set-up to use a passphrase and/or a passfile.
> > You could just put the passfile on a memory stick and not use
> > a passphrase at all.  
> *This* is very insecure when the key gets stolen or copied (i.e. you
> may even not know that someone all the time can enter in your
> system). When the GnuPG stick gets stolen, it is useless for
> attackers due to missing PIN.

I mentioned it solely because the key being stolen and used to access
the device is explicitly not in his threat model. 

> > FWIW I use a passfile to attach geli encrypted partitions, but the
> > passfile is stored in a small geli encrypted file-backed md device
> > that's passphrase protected. I did this just to avoid having to
> > type any more than I need to, but that backing file could just as
> > easily be on a memory stick.    
> Yes, and can be opened with brute force attacks, depending on the key
> length and the computing power.

It depends on your threat model. For most people either are better than
they need to be. If you think you might have to stand up to a serious
attack by the likes of the NSA then you have to be certain that
they can't bypass the 3 attempts limit on the card.   

I'd also be seriously concerned about that 3 attempt limit locking me
out of my data. 

More information about the freebsd-questions mailing list