Date: Fri, 29 Jul 2005 03:09:13 +0200 From: Benjamin Lutz <benlutz@datacomm.ch> To: current@freebsd.org Subject: Re: GELI - disk encryption GEOM class committed. Message-ID: <42E981B9.5060500@datacomm.ch> In-Reply-To: <42E95E08.80006@datacomm.ch> References: <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig91CAC02C03C4473BD22FB004
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
>Few months ago I started work on another (besides GBDE) disk encryption
> GEOM class.
This is very nice!
> GELI is different than GBDE. It offers different features, but it also
> use different scheme for doing crypto work.
I tried to find out what exactly the differences are. Please correct me
where I'm wrong:
Encryption Strength:
GBDE - Uses AES128 for data encryption, with a different key per
sector. Master key is encrypted using AES256 and stored on
4 random locations on the disk. Access key is SHA2/512bit
hashed.
GELI - Supports AES, Blowfish, 3DES for data encryption, with a
different key per sector. Access key is PKCS #5 protected.
(What does this mean regarding a brute force attack?)
Access Keys:
GBDE - There are 4 independent access keys. With each key, it is
possible to revoke any other.
GELI - There are 2 independent access keys. Presumably each key can
revoke the other. Keys can exist of multiple parts or be one
time keys.
Speed:
GBDE - Runs in software.
GELI - Support for crypto(9) hardware. Blowfish is faster than AES.
Booting from Encrypted Root:
GBDE - Doesn't say, probably doesn't work
GELI - Works. How'd one load the kernel from an encrypted root though?
The GBDE manpage warns that the on-disk format might be changed in the
future. What about GELI? It'd be unpleasant to upgrade the OS and then
find out that the encrypted volume is no longer accessible.
How much throughput can one expect in practice, say, compared to the
numbers in "openssl speed"?
Cheers
Benjamin
--------------enig91CAC02C03C4473BD22FB004
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
iD8DBQFC6YG9gShs4qbRdeQRAv6ZAJ0Qe4gNcjBIHEIjWk+vd9FLIKR/2gCgh1FW
OKboU4U26Nps+mtHlN1Nx0c=
=Ml57
-----END PGP SIGNATURE-----
--------------enig91CAC02C03C4473BD22FB004--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42E981B9.5060500>