geli or gbde encryption of slices

OxY oxy at field.hu
Fri Dec 16 11:27:58 PST 2005 

i have a question about chosing geli or gbde..
which one is faster (read/write)?
i use gbde, and it's quite slow..
may i create the .bde partition again with larger sector size?
which size is optimal?

thanks!

On Sun, Dec 11, 2005 at 01:33:46PM +0100, Robert Blacquiere wrote:
+> Hello,
+>
+> I was playing around with geli an gbde after last EuroBSDCon.
+> I liked the idea of encrypting my data which resides in /home/$user.
+> Since this is a "single" user laptop i intended to encrypt the
+> whole /home partition. Well no problems with that. But i wanted
+> the lockfile or keyfile on a seperate usb disc. Which would be
+> mounted or used during boot of the system. I also used gshsec on
+> the usb disc to even make things more difficult.
+>
+> Well here is what i found. You can't use a none mounted disc for
+> the keys, to take things further geli asks for the access passphrease
+> before any filesystems except / is mounted. Gbde fails also because
+> the system can't do interactivaly query for the passphrase.

Unfortunately we needed to make a choice here: allow to encrypt /usr/,
etc. or allow for getting keys from more sources.

You can still do what you want, but not via rc.d/geli directly.

Geli(8) itself allows to use key from the raw device or anything else,
rc.d/geli is the thing which is not such flexible.
You may want to try adding some code to /etc/rc.local (which will take
part of the key from passphrase, part from USB Pen Drive and part for
gshsec(8) device):

 (cat /mnt/pendrive/keyfile.bin && dd if=/dev/shsec/key bs=64k count=1) | 
/sbin/geli attach -k /dev/stdin /dev/ad0s1e
 fsck_ffs -p /dev/ad0s1e.eli
 mount /dev/ad0s1e.eli /mnt/secure

Assuming that /mnt/pendrive is already mounted (it should be if placed
in /etc/fstab).

+> I wanted to use a 3 way authentication for the slice, encrypted fs,
+> a usb key and passphrase. I can use geli without the usb key (keyfile).
+> But that would render a possible bruteforce entry.

Even when you use passphrase only, geli(8) provides PKCS#5v2 to
strength it.
I'm using it with 131072 iterations, so it is 2^17 times harder to
brute-force my passphrase and takes about 2-3 seconds to attach
encrypted device on my laptop.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

----- Original Message ----- 
From: "Pawel Jakub Dawidek" <pjd at FreeBSD.org>
To: "Robert Blacquiere" <freebsd-security at guldan.demon.nl>
Cc: "freebsd-security" <freebsd-security at freebsd.org>
Sent: Friday, December 16, 2005 8:18 PM
Subject: Re: geli or gbde encryption of slices

More information about the freebsd-security mailing list