GnuPG smart card && geli

[Matthias Apitz]

On Friday, 19 May 2017 18:47:34 CEST, RW via freebsd-questions 
<freebsd-questions at freebsd.org> wrote:
> On Fri, 19 May 2017 17:25:46 +0200
> Matthias Apitz wrote:
>
>> El día viernes, mayo 19, 2017 a las 04:14:16p. m. +0100, RW via
>> freebsd-questions escribió:
>> 
>> > On Fri, 19 May 2017 10:19:06 -0400
>> > mfv via freebsd-questions wrote:
>
>> > A geli device can be set-up to use a passphrase and/or a passfile.
>> > You could just put the passfile on a memory stick and not use
>> > a passphrase at all.  
>> 
>> *This* is very insecure when the key gets stolen or copied (i.e. you
>> may even not know that someone all the time can enter in your
>> system). When the GnuPG stick gets stolen, it is useless for
>> attackers due to missing PIN.
>
> I mentioned it solely because the key being stolen and used to access
> the device is explicitly not in his threat model. 
>
>
>> > FWIW I use a passfile to attach geli encrypted partitions, but the
>> > passfile is stored in a small geli encrypted file-backed md device
>> > that's passphrase protected. I did this just to avoid having to
>> > type any more than I need to, but that backing file could just as
>> > easily be on a memory stick.    
>> 
>> Yes, and can be opened with brute force attacks, depending on the key
>> length and the computing power.
>
> It depends on your threat model. For most people either are better than
> they need to be. If you think you might have to stand up to a serious
> attack by the likes of the NSA then you have to be certain that
> they can't bypass the 3 attempts limit on the card.   
>
> I'd also be seriously concerned about that 3 attempt limit locking me
> out of my data. 

On the GnuPG card you have an admin account with another PIN (in my case 8 
digits) to unlock your locked SIM, with 3 attemps too. After this, the card 
is to.throw away, if you fail.


-- 
Sent from my Ubuntu phone
http://www.unixarea.de/