Date: Fri, 29 Jul 2005 03:09:13 +0200 From: Benjamin Lutz <benlutz@datacomm.ch> To: current@freebsd.org Subject: Re: GELI - disk encryption GEOM class committed. Message-ID: <42E981B9.5060500@datacomm.ch> In-Reply-To: <42E95E08.80006@datacomm.ch> References: <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig91CAC02C03C4473BD22FB004 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit >Few months ago I started work on another (besides GBDE) disk encryption > GEOM class. This is very nice! > GELI is different than GBDE. It offers different features, but it also > use different scheme for doing crypto work. I tried to find out what exactly the differences are. Please correct me where I'm wrong: Encryption Strength: GBDE - Uses AES128 for data encryption, with a different key per sector. Master key is encrypted using AES256 and stored on 4 random locations on the disk. Access key is SHA2/512bit hashed. GELI - Supports AES, Blowfish, 3DES for data encryption, with a different key per sector. Access key is PKCS #5 protected. (What does this mean regarding a brute force attack?) Access Keys: GBDE - There are 4 independent access keys. With each key, it is possible to revoke any other. GELI - There are 2 independent access keys. Presumably each key can revoke the other. Keys can exist of multiple parts or be one time keys. Speed: GBDE - Runs in software. GELI - Support for crypto(9) hardware. Blowfish is faster than AES. Booting from Encrypted Root: GBDE - Doesn't say, probably doesn't work GELI - Works. How'd one load the kernel from an encrypted root though? The GBDE manpage warns that the on-disk format might be changed in the future. What about GELI? It'd be unpleasant to upgrade the OS and then find out that the encrypted volume is no longer accessible. How much throughput can one expect in practice, say, compared to the numbers in "openssl speed"? Cheers Benjamin --------------enig91CAC02C03C4473BD22FB004 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iD8DBQFC6YG9gShs4qbRdeQRAv6ZAJ0Qe4gNcjBIHEIjWk+vd9FLIKR/2gCgh1FW OKboU4U26Nps+mtHlN1Nx0c= =Ml57 -----END PGP SIGNATURE----- --------------enig91CAC02C03C4473BD22FB004--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E981B9.5060500>