geli or gbde encryption of slices

[Robert Blacquiere]

Hello,

I was playing around with geli an gbde after last EuroBSDCon. 
I liked the idea of encrypting my data which resides in /home/$user.
Since this is a "single" user laptop i intended to encrypt the
whole /home partition. Well no problems with that. But i wanted
the lockfile or keyfile on a seperate usb disc. Which would be
mounted or used during boot of the system. I also used gshsec on
the usb disc to even make things more difficult. 

Well here is what i found. You can't use a none mounted disc for 
the keys, to take things further geli asks for the access passphrease
before any filesystems except / is mounted. Gbde fails also because
the system can't do interactivaly query for the passphrase. 

I wanted to use a 3 way authentication for the slice, encrypted fs, 
a usb key and passphrase. I can use geli without the usb key (keyfile).
But that would render a possible bruteforce entry. 

Is there a way to have something similar like this working? I even
thought of using something like vendor, product and serial ids for
the "keyfile" which could be used with any usbdevice on the usb bus.

Have any of you thought about these things and have a way to do 
this sort of thing (keyfile on usbdrive).

Robert
 
-- 
Microsoft: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Are you guys coming or what?
OpenBSD: Hey guys you left some holes out there!