On Mon, Jan 30, 2006 at 04:46:38PM +0100, Christian Baer wrote: > Good afternoon[1], fellow readers! :-) > > Because I wanted something new to play with and because I found the idea > of encrypting swap and temp space, I decided to give GELI a try. The > idea of using crypto(9) seems good too, because that way hardware > support is added at no extra cost - I know, that was part of the reason, > why GELI was written. :-) > > Note: > This thread is not really related to the one I started on the security > mailing-list. Because of the existing crypto-hardware GELI won that > race described there. This here is more of personal interest. > > The question is more of an academic nature, but interesting just the > same: Can it be said that GELI is more secure (by design) than GBDE or > vice versa? The differences are not only of cosmetic nature or in the > user interface, but there is a real difference within the concept. Can > one of these approaches be called more secure than the other[2]? > There was a huge thread about this very topic on one of the NetBSD lists and freebsd-hackers@ between phk and the guy that implemented cgd for NetBSD (very similar in concept to geli). So, if you're interested in the gory details, I suggest you look that thread up. To cut it short: opinions differ greatly. > > Are there plans for a geli(4) manpage inspired by gbde(4) manpage? It > just shows the non-expert wonderfully, how it works and how safe it is > (in numbers). > That would be very useful indeed. > Now for some *real* questions... :-) > > GBDE wants to be attached to a partition like adxs1d. The examples in > the handbook however suggest that GELI should be attached to the > hardware-device adx and not to a partition. Why is this so? I am > guessing that GELI would be just as happy to be attached to ad1s1d as to > ad1 (wouldn't this be mandatory if there were more than one partition on > the drive?), but does this have any (dis-) advantages? > You can encrypt arbitrary providers with geli (same as with gbde). E.g. on my notebook I have encrypted ad0s1f with geli and have it attach at boot with the corresponding rc.conf variables. > If I were to use encrypted swap space I couldn't use the fstab for these > anymore. Should I do this with a start-up script and if so, where should > I put it? 'Where' as in 'where should it be in the boot-order?' > To have your partitions encrypted, you just have to add .eli (for geli) or .bde (for gbde) to your device name in /etc/fstab, e.g. /dev/ad0s1b.eli on my notebook. The /etc/rc.d/encswap script does the rest automagically. That means you don't have to worry about the boot-order. (The above is true for 7-CURRENT and 6-STABLE, I'm not sure whether encswap was part of 6.0-RELEASE. For older versions, there were special gbde options for rc.conf). > Basicly the same thing goes for temp-space. When should it be mounted. > And more importantly, if I use a new key every time, wouldn't I need a > newfs during every boot - before I mount /tmp? > You could use a tmpmfs (see corresponding rc.conf variables). Adding it to the geli_devices variable probably just works(tm), but it depends on the order of the rc scripts. - Christian -- Christian Brueffer chris_(_at_)_unixpages_(_dot_)_org brueffer_(_at_)_FreeBSD_(_dot_)_org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D
Attachment:
pgpsjCMFe29Kp.pgp
Description: PGP signature