Re: GELI versus GBDE?
I've been working on a ruby script to manage some geli file systems and have had some good experience using "-k -" to make it read from standard in. It's mixed with popen calls instead of a more bash-y version, but it works. :) I have not tried running it w/o a terminal allocated, but I suspect that won't make much of a difference. (If the script wasn't in such sorry shape at the moment I would copy it along, but I don't think anyone wants to see it now. ;) ) Sam Lumeta - Securing the Network in the Face of Change www.lumeta.com Nikolay Mirin wrote: Anyway, the other reasons that GBDE suck are: 1) Lots of annoying ENOMEM messages, since the memory allocation calls gbde makes are somewhat specific as I understand. One can ignore those messages. 2) GELI provides a onetime key feature, which makes it incredibly convenient for swap and /tmp encryption. 3) The secret key in GELI can be split between the keyfile and the passphrase. The only inconvenience I had with GELI is that if one wants to read a passphrase in a script once and then open a bunch of volumes, than one has to use "expect" to feed the passphrase to geli. It requires the terminal input and won't accept the stdin. GBDE does not have such issue. P.S. One can actually have both in kernel. Christian Brueffer said the following on 16.04.2007 11:21: On Sun, Apr 15, 2007 at 08:56:07AM -0500, Nikolay Mirin wrote: Definitely GELI. GBDE will become obsolete very soon as some other things like vinum and such. It was there just as a test of concept as I understand. Many those different disk subsystems are incompatible in fact, the case of GBDE and Vinum is mentioned as an example in the handbook. Read more about GEOM, as this system will unite all possible disk techniqies. Also, GELI takes advantage of crypto-hardware, but I believe that one gets a benefit out of it only if the main CPU is very slow. There are currently no plans to remove GBDE. The problems with Vinum you mention stemmed from the fact, that the original Vinum was not GEOM aware, thus, GELI couldn't have been used with it as well. gvinum has been in existance for some time now and it's fully compatible to both GBDE and GELI. - Christian ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GELI versus GBDE?
Anyway, the other reasons that GBDE suck are: 1) Lots of annoying ENOMEM messages, since the memory allocation calls gbde makes are somewhat specific as I understand. One can ignore those messages. 2) GELI provides a onetime key feature, which makes it incredibly convenient for swap and /tmp encryption. 3) The secret key in GELI can be split between the keyfile and the passphrase. The only inconvenience I had with GELI is that if one wants to read a passphrase in a script once and then open a bunch of volumes, than one has to use "expect" to feed the passphrase to geli. It requires the terminal input and won't accept the stdin. GBDE does not have such issue. P.S. One can actually have both in kernel. Christian Brueffer said the following on 16.04.2007 11:21: On Sun, Apr 15, 2007 at 08:56:07AM -0500, Nikolay Mirin wrote: Definitely GELI. GBDE will become obsolete very soon as some other things like vinum and such. It was there just as a test of concept as I understand. Many those different disk subsystems are incompatible in fact, the case of GBDE and Vinum is mentioned as an example in the handbook. Read more about GEOM, as this system will unite all possible disk techniqies. Also, GELI takes advantage of crypto-hardware, but I believe that one gets a benefit out of it only if the main CPU is very slow. There are currently no plans to remove GBDE. The problems with Vinum you mention stemmed from the fact, that the original Vinum was not GEOM aware, thus, GELI couldn't have been used with it as well. gvinum has been in existance for some time now and it's fully compatible to both GBDE and GELI. - Christian ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GELI versus GBDE?
On Sun, Apr 15, 2007 at 08:56:07AM -0500, Nikolay Mirin wrote: > Definitely GELI. > > GBDE will become obsolete very soon as some other things like vinum and > such. It was there just as a test of concept as I understand. > Many those different disk subsystems are incompatible in fact, the case > of GBDE and Vinum is mentioned as an example in the handbook. > Read more about GEOM, as this system will unite all possible disk > techniqies. > > Also, GELI takes advantage of crypto-hardware, but I believe that one > gets a benefit out of it only if the main CPU is very slow. > There are currently no plans to remove GBDE. The problems with Vinum you mention stemmed from the fact, that the original Vinum was not GEOM aware, thus, GELI couldn't have been used with it as well. gvinum has been in existance for some time now and it's fully compatible to both GBDE and GELI. - Christian -- Christian Brueffer [EMAIL PROTECTED] [EMAIL PROTECTED] GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D pgpx42UbfCXhu.pgp Description: PGP signature
Re: GELI versus GBDE?
Oh, and of course! GELI allow selection of the algorithm, key length and such. GBDE uses AES-128 only. I migrated to GELI in December, 2006. After the problem I had was resolved: http://www.freebsd.org/cgi/query-pr.cgi?pr=104669 Honestly, I also had a problem with GELI data authentication support, but I don't really need it. Google and search the PR database to see what other folks had to say. Michael C Voorhis said the following on 14.04.2007 18:07: The Handbook contains descriptions of GELI and GBDE for encrypting disk partitions; will both of these techniques remain available into the future? The fact that there are two implies (to me) that one may be on the way out, in preference of the other. In src/sys/geom/eli (RELENG_6) the oldest GELI sources are younger than the youngest GBDE stuff in src/sys/geom/bde. Is GBDE falling by the wayside in favor of GELI? Thanks for any information, Mike. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GELI versus GBDE?
Definitely GELI. GBDE will become obsolete very soon as some other things like vinum and such. It was there just as a test of concept as I understand. Many those different disk subsystems are incompatible in fact, the case of GBDE and Vinum is mentioned as an example in the handbook. Read more about GEOM, as this system will unite all possible disk techniqies. Also, GELI takes advantage of crypto-hardware, but I believe that one gets a benefit out of it only if the main CPU is very slow. Michael C Voorhis said the following on 14.04.2007 18:07: The Handbook contains descriptions of GELI and GBDE for encrypting disk partitions; will both of these techniques remain available into the future? The fact that there are two implies (to me) that one may be on the way out, in preference of the other. In src/sys/geom/eli (RELENG_6) the oldest GELI sources are younger than the youngest GBDE stuff in src/sys/geom/bde. Is GBDE falling by the wayside in favor of GELI? Thanks for any information, Mike. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
GELI versus GBDE?
The Handbook contains descriptions of GELI and GBDE for encrypting disk partitions; will both of these techniques remain available into the future? The fact that there are two implies (to me) that one may be on the way out, in preference of the other. In src/sys/geom/eli (RELENG_6) the oldest GELI sources are younger than the youngest GBDE stuff in src/sys/geom/bde. Is GBDE falling by the wayside in favor of GELI? Thanks for any information, Mike. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
