Automatic Geli?
Robert Simmons
rsimmons0 at gmail.com
Thu Apr 12 16:24:32 UTC 2012
On Wed, Apr 11, 2012 at 11:27 PM, <perryh at pluto.rain.com> wrote:
> Pawel Jakub Dawidek <pjd at freebsd.org> wrote:
>
>> If they distribute encrypted image that actually works, it means
>> they distribute the key along with the image. As was already noted
>> this serves no purpose, as you can extract the key from the image
>> and decrypt the whole thing on your own.
>
> s/serves no purpose/provides no real security/
>
> It will stop those who can't figure out _how_ to extract the key
> from the image, and it will deter those whose interest in bypassing
> the encryption is not strong enough to justify the effort. Making
> offline access non-trivial might also have legal implications in
> some jurisdictions, since having gone to the trouble of extracting
> the key would impair the credibility of a subsequent assertion that
> any improprieties had been inadvertent.
It will stop those who can figure out how???? It's a file in the
unencrypted portion of the image. "extracting" would entail "geli
attach -j /pathto/foo.pass -k /pathto/foo.key /dev/foo0"
There is no effort involved. And they are not "bypassing the
encryption" or "making offline access non-trivial". They are "doing
it wrong".
I'm not sure that anything you said makes sense.
More information about the freebsd-geom
mailing list