Re: Getting GELI Keys from Floppy

That's a really good idea. - Removable media with key (so you can take it
out for security reasons) and using a key so don't have to type in a
passphrase each time.

btw, is there any good document on GELI?

One idea is having 1 server with a CD-ROM drive and exporting it via NFS.
When a server boots it mounts the remote CD-ROM drive and looks for key
"$HOSTNAME.key".

CDs are reliable - hold a good amount of data (enough for lots of keys) and
can be removed and taken with you.

-J

On 9/7/06, Bob Johnson <fbsdlists@gmail.com> wrote:
>
> On 9/6/06, Barkley Vowk <bvowk@math.ualberta.ca> wrote:
> > You are a complete madman. You want to protect your data with a key
> stored
> > on the most completely and utterly unreliable form of data storage still
> > lamentably in use? Its not the 1970's anymore, get a real data storage
> > medium!
> >
> > Get a usb flash drive, from there its a simple matter of changing the
> geli
> > script to mount a specific usb device before starting. Look in
> > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the
> > kldstat and the "if [ -z" in the geli_start() sub.
>
> I have floppies from the 1980s that are still readable, but I have
> never had a USB flash drive last more than six months when actually in
> use.  For important data, I trust a floppy far more than I trust a
> flash drive. The big problem with floppies is they don't hold enough
> data. For that matter, writeable CDs and DVDs have proven to be much
> less reliable than floppies, too.
>
> - Bob
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org
> "
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"