From owner-freebsd-current@FreeBSD.ORG Thu Jul 28 22:37:00 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A810216A41F; Thu, 28 Jul 2005 22:37:00 +0000 (GMT) (envelope-from benlutz@datacomm.ch) Received: from maxlor.mine.nu (c-213-160-32-54.customer.ggaweb.ch [213.160.32.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1714C43D48; Thu, 28 Jul 2005 22:37:00 +0000 (GMT) (envelope-from benlutz@datacomm.ch) Received: from localhost (localhost [127.0.0.1]) by maxlor.mine.nu (Postfix) with ESMTP id 1097D384; Fri, 29 Jul 2005 00:36:59 +0200 (CEST) Received: from maxlor.mine.nu ([127.0.0.1]) by localhost (midgard [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23614-04; Fri, 29 Jul 2005 00:36:57 +0200 (CEST) Received: from [10.0.0.23] (mini.intranet [10.0.0.23]) by maxlor.mine.nu (Postfix) with ESMTP id D442FF7; Fri, 29 Jul 2005 00:36:57 +0200 (CEST) Message-ID: <42E95E08.80006@datacomm.ch> Date: Fri, 29 Jul 2005 00:36:56 +0200 From: Benjamin Lutz User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20050728205413.GB762@darkness.comp.waw.pl> In-Reply-To: <20050728205413.GB762@darkness.comp.waw.pl> X-Enigmail-Version: 0.92.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF4707E4309C32589A07BC0A5" X-Virus-Scanned: by amavisd-new at maxlor.mine.nu Cc: current@freebsd.org Subject: Re: GELI - disk encryption GEOM class committed. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 22:37:00 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF4707E4309C32589A07BC0A5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit > Few months ago I started work on another (besides GBDE) disk encryption > GEOM class. This is very nice! > GELI is different than GBDE. It offers different features, but it also > use different scheme for doing crypto work. I tried to find out what exactly the differences are. Please correct me where I'm wrong: Encryption Strength: GBDE - Uses AES128 for data encryption, with a different key per sector. Master key is encrypted using AES256 and stored on 4 random locations on the disk. Access key is SHA2/512bit hashed. GELI - Supports AES, Blowfish, 3DES for data encryption, with a different key per sector. Access key is PKCS #5 protected. (What does this mean regarding a brute force attack?) Access Keys: GBDE - There are 4 independent access keys. With each key, it is possible to revoke any other. GELI - There are 2 independent access keys. Presumably each key can revoke the other. Keys can exist of multiple parts or be one time keys. Speed: GBDE - Runs in software. GELI - Support for crypto(9) hardware. Blowfish is faster than AES. Booting from Encrypted Root: GBDE - Doesn't say, probably doesn't work GELI - Works. How'd one load the kernel from an encrypted root though? The GBDE manpage warns that the on-disk format might be changed in the future. What about GELI? It'd be unpleasant to upgrade the OS and then find out that the encrypted volume is no longer accessible. How much throughput can one expect in practice, say, compared to the numbers in "openssl speed"? Cheers Benjamin --------------enigF4707E4309C32589A07BC0A5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFC6V4LgShs4qbRdeQRAnVVAJ9aakjizUe79kdzLvwNybIQDwOFFQCfVoHl osmX+UudAq3CefkFRjTdqQE= =QFDW -----END PGP SIGNATURE----- --------------enigF4707E4309C32589A07BC0A5--