|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Slawa Olhovchenkov 2:5030/500 03 Aug 2005 00:21:36
To : All
Subject : Вести с полей
--------------------------------------------------------------------------------
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
Subject: GELI - disk encryption GEOM class committed.
Hi.
Few months ago I started work on another (besides GBDE) disk encryption
GEOM class.
To don't confuse users I'll say it here and now:
GELI is different than GBDE. It offers different features, but it also
use different scheme for doing crypto work.
It doesn't mean GBDE is broken!
It doesn't mean GBDE should not be used anymore (I still use it by myself)!
It is different and user should decide which one fits better his needs.
Anyway.
Below is the list of most important features offered by geli(8):
- Utilize the crypto(9) framework, so when there is a crypto hardware
available, geli(8) will make use of it automatically.
If cryptography needs to be done in software, a dedicated kernel
thread(s) will be started to do the crypto work in there.
- Supports many cryptographic algorithms (currently AES, Blowfish
and 3DES).
- Can create a key from a couple of components (user entered passphrase,
random bits from a file, etc.).
- Allows to encrypt root partition - user will be asked for the passphrase
before root file system is mounted.
- User's passphrase is strengthen with: B. Kaliski, PKCS #5:
Password-Based Cryptography Specification, Version 2.0., RFC, 2898.
- Allows to use two independent keys (e.g. "user key" and "company key").
- It is fast - geli performs simple sector-to-sector encryption.
- Allows to backup/restore Master Keys, so when user have to quickly
destroy keys, it is able to get the data back by restoring keys from
the backup.
- Provider can be configured to automatically detach on last close (so user
don't have to remember to detach provider after unmounting file system).
- Allows to attach provider with a random, one-time keys - useful for swap
partitions and temporary file systems.
- Allows to automatically detach provider on last close.
- Allows to overwrites on-disk keys with random data (when destroying
them). One can define how many times.
- You can define number of threads which are going to do software
crypto work (useful for SMP systems).
Things you need to know about geli(8).
GELI (simlar to GBDE) offers privacy only - there is no data integrity
verification, so when your disk/laptop will be stolen your data should be
safe, but if someone can modify your encrypted data behind your back,
geli is not going to detect these changes.
GELI uses block-unique IVs, which means, every data block (sector) has
a unique IV, which will not be changed when new data is written to the
disk. This means, that if someone can sniff your disk traffic somehow or
is able to get snapshots from your disk you could not be safe.
IVs used by GELI are secret, which should help here a bit, but you still
need to be careful.
GELI uses one key to encrypt all the data, so when you have multi-terabyte
storage, you should probably use AES-256 - AES-128 could not be enough.
You have been warned. Enjoy!
PS. GELI was sponsored by Wheel Sp. z o.o. (http://www.wheel.pl).
... World Wide Wъeb
--- GoldED+/BSD 1.1.5
* Origin: (2:5030/500)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
Вести с полей |
Slawa Olhovchenkov |
03 Aug 2005 00:21:36 |
|
|
