Re: Getting GELI Keys from Floppy
On Thursday 07 September 2006 00:00, Frank Steinborn wrote: Hello, i want to encrypt my HDD's with GELI (not the root-fs, though). I want to do the encryption without password, just with a key. The key should be stored in a floppy disk, and the read should be read automatically on boot, from the floppy. Are you sure you want to trust a floppy disk for your keys?? It's not the most safe medium these days... There is a problem here, because GELI initializes _before_ mounting the disks from /etc/fstab (for obvious reasons, of course). So GELI is not able to get the keys from the floppy and fails. So, any hints how I could get the floppy mounted _before_ GELI tries to initialize? Why don't you use the plain device(/dev/fd0) instead of using a file on a filesystem on the floppy? I think there are examples in the manual page. Anyway, I find this a very very bad idea. If the floppy break in some way you're gonna be in big trouble... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Getting GELI Keys from Floppy
Nikos Vassiliadis wrote: Are you sure you want to trust a floppy disk for your keys?? It's not the most safe medium these days... I'll backup the keys on CD. It's just that I don't want to waste a CD-ROM drive in this server. There is a problem here, because GELI initializes _before_ mounting the disks from /etc/fstab (for obvious reasons, of course). So GELI is not able to get the keys from the floppy and fails. So, any hints how I could get the floppy mounted _before_ GELI tries to initialize? Why don't you use the plain device(/dev/fd0) instead of using a file on a filesystem on the floppy? I think there are examples in the manual page. I could use /dev/fd0 directly but then I had to use the same key for all 6 HDD's in the server. I got a solution by hacking /etc/rc.d/geli - I'm just mounting the floppy there before it tries to read the key. Thanks for all the people giving suggestions! Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Getting GELI Keys from Floppy
On Thu, 7 Sep 2006, Frank Steinborn wrote: I could use /dev/fd0 directly but then I had to use the same key for all 6 HDD's in the server. I got a solution by hacking /etc/rc.d/geli - I'm just mounting the floppy there before it tries to read the key. You could read different parts of the floppy for different keys. Speaking of which, do the keys have any identifiable strings in them? If not, you could fill the floppy with random garbage and 'hide' the key. I'm assuming since you don't want a password you don't want the boot to require interaction so it's not that useful, but if nothing else it would help if someone got access to the floppy (remotely or by physical access). -- Matt Piechota ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
