Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 24 Oct 2010 18:04:32 +0200
From:      Roland Smith <rsmith@xs4all.nl>
To:        Victor Sudakov <sudakov@sibptus.tomsk.ru>, FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: geli keys
Message-ID:  <20101024160432.GB43549@slackbox.erewhon.net>
In-Reply-To: <20101024101457.GA72426@admin.sibptus.tomsk.ru>
References:  <20101024101457.GA72426@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--dTy3Mrz/UPE2dbVg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 24, 2010 at 05:14:57PM +0700, Victor Sudakov wrote:
> Colleagues,
>=20
> The geli(8) man page suggests initializing a geli provider with a
> random keyfile (geli init -K). It also asks for a passphrase by default.
>=20
> What happens if a provider is initialized without the -K option, just
> with a passphrase?=20

The passphrase is not used as the key directly. It is used to derive the key
with PKCS #5 [see http://www.faqs.org/rfcs/rfc2898.html].=20

> Will there be no encryption?=20

No, there will be encryption.

> Encryption will be weaker?

I don't think so. But in depends on a lot of things.

If you use a keyfile, it needs to be on an unencrypted (or previously
decrypted) partition, and it needs to be referenced in /etc/rc.conf if you
want to be able to maount that partition at boot. So the keyfile might be
random but it may not be secret (unless you put it on a USB thumbdrive and
mount that before mounting the encrypted fs).

Roland
--=20
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

--dTy3Mrz/UPE2dbVg
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)

iEYEARECAAYFAkzEWRAACgkQEnfvsMMhpyW5sgCZASoHtAXQkFwfKNpknXSvSfii
NEYAoJAtDlJa6yrfUisT0RTKDBCwaEOi
=Kefv
-----END PGP SIGNATURE-----

--dTy3Mrz/UPE2dbVg--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101024160432.GB43549>