search for: geli

Hello, i want to encrypt my HDD's with GELI (not the root-fs, though). I want to do the encryption without password, just with a key. The key should be stored in a floppy disk, and the read should be read automatically on boot, from the floppy. There is a problem here, because GELI initializes _before_ mounting the disks from /etc/fstab (fo...

Hello, I was playing around with geli an gbde after last EuroBSDCon. I liked the idea of encrypting my data which resides in /home/$user. Since this is a "single" user laptop i intended to encrypt the whole /home partition. Well no problems with that. But i wanted the lockfile or keyfile on a seperate usb disc. Which would b...

Hello, Just to let everyone know that this is still an issue. I am trying to install FreeBSD 9.0 amd64 on a Lenovo X121e and I can't get it to accept the geli passphrase during boot. I've confirmed using kern.geom.eli.visible_passphrase=1 that the passphrase is correct, and the same passphrase is accepted when the system is booted up. I've tried disabling kbdmux in /boot/device.hints like the PR said, but that didn't help. I also tried disab...

I'm not really a developer, but was considering if there is a key vulnerability in geli given that when you change a key there isn't a disk update. Consider the scenario where a new file system is created and populated with some files. At a later time the original key is changed because someone has gained access to the key and passphrase. A new key is generated and attached, but...

...0 on ad0s4. I now need to recover the disklabel to get my system to boot! There were three labels - ad0s4a: UFS, exact size unknown. Is it possible to infer this from the UFS partition size? I can mount this already, as I simply wrote an 'a' label of maximum size to the disklabel - ad0s4b: GELI encrypted swap - ad0s4d: GELI encrypted ZVOL I only need to find out the start of ad0s4d. Is the consumer size of an GELI device stored in the last 512 bytes metadata? Or are there some magic bytes in this 512 bytes so I could find out the exact end of ad0s4b and thus the start of ad0s4d? Any hel...

...mirror. The two times I took the zpool offline, I had to resilver one of the drives (the same drive both times) when I imported it back. All drives in the pool show no read, write, or checksum errors and are new, so I'm looking to a software problem before hardware. Both drives are encrypted geli devices. I tried to reproduce the error with 1GB disk images (vs 1TB), mdconfig, geli, and zpool, but no luck; importing and exporting work fine. Here's the history of the pool: History for 'tank': 2009-01-07.19:06:53 zpool create tank mirror /dev/ad8.eli /dev/ad10.eli 2009-01-12.12:...

Hi. I'm moving some of my geli installation to a new machine. On an old machine it was running UFS. I use ZFS on a new machine, but I don't have an encrypted main pool (and I don't want to), so I'm kinda considering a way where I will make a zpool on a zvol encrypted by geli. Would it be completely insane (should I u...

hail, I have a soekris running an atom and 2GB RAM and ZFS using 7 drives, small capacity though, to test and study if I can make my home server this box and this way. It will be a simple server, three users tops. I followed the handbook and made the geli step on the disks: Geom name: label/zfs1.eli State: ACTIVE EncryptionAlgorithm: AES-XTS KeyLength: 128 Crypto: software UsedKey: 0 Flags: NONE KeysAllocated: 38 KeysTotal: 38 Providers: 1. Name: label/zfs1.eli Mediasize: 160041881600 (149G) Sectorsize: 4096 Mode: r1w1e1 Consumers: 1. Name...

Hi. geli(8) from FreeBSD-CURRENT is now able to perform data integrity verification (data authentication) using one of the following algorithms: - HMAC/MD5 - HMAC/SHA1 - HMAC/RIPEMD160 - HMAC/SHA256 - HMAC/SHA384 - HMAC/SHA512 One of the main design goals was to make it reliable and resistant to pow...

Hi all, I'm looking for a way to recreate the functionality of PGP Disk (under Win32). Basically, create an encrypted file, which contains a filesystem which can then be mounted in any mount point. I know I can use GELI in FreeBSD 6 - as I understand, it performs the encryption at the partition level (the whole partition is encrypted). I'd like to be able to simply unmount my 'secure volume', and be able to back it up as a whole, or move it to another computer without having to repartition the dest...

Hello. I have been investigating a 'secure' Firefox solution. The cache, history and other files are kept on an encrypted slice and swap is encrypted also. The problem I am having is that I know the shell commands required to unmount /tmp, create providers with GELI with one-time keys, remount /tmp, activate swap etc. but I don't know the correct way to get this done automatically on boot. (I'd also like to submit a patch to the manual page to show how to create an encrypted /tmp partition, but that comes later!). thanks, a1

I was using a GELI partition for /usr/home on 7.0, so it attaches and mounts on boot. The problem is it stopped working after the system was upgraded to RELENG_7/7.1-PRERELEASE. Here's how it goes: I have the following /etc/fstab: /dev/ad0s1b none swap sw 0 0 /dev/...

Hello out there, everybody! I was actually expecting to find several (hundred) threads with this subject being discussed. To my surprise I didn't find a single one either on these mailing lists or in the newsgroups - at least not in a language I understand. :-) I realize that gbde and geli are not designed to be better than the other but that both fit different needs and different tastes. Although I I am studying computer science myself, I haven't really gotten to this kind of stuff yet, so simply listing the differences doesn't help too much. For a friend of mine I am think...

Speaking of GELI / GBDE. I was reading Marc's excellent paper on Complete harddrive encryption for FreeBSD using GBDE/GELI and the problem I have is it all depends on a bootable removable token that can by physically secured. While an excellent solution for laptop / desktop users it just doesn't work with...

Hi all, can someone comment on the state of the hifn(4) driver? I've recently upgraded my 6.2-STABLE workstation to RELENG_7, and I'm now experiencing system lockups that seem to be caused by the hifn(4) driver. I've got a Soekris vpn1401 card to help with GELI disk en- cryption. Reading from a GELI volume is causing the system to freeze completely, which does not happen if software crypto is used (i.e. hifn.ko not loaded). I can't enter kernel debugger (ctrl+alt+esc doesn't work anymore) and my (remote) kgdb-fu isn't up to par anyway. PR...

Hello, I'm using geli on laptop PC with only one HDD. Disk is divided into two slices, ad0s1 and ad0s2. Second slice (ad0s2) is encrypted with GEOM ELI using two-factor authentication - passphrase plus keyfile on USB drive. FreeBSD is installed on ad0s2.eli and first slice is not used by this system so let's say...

Followed the instructions here: http://www.freebsd.org/doc/handbook/updating-upgrading-freebsdupdate.html The upgrade borked. Error message: Can't find 'kernel' When I checked with ls /boot/kernel/, the directory does exist. :-( Since the system has encrypted root partion with ZFSonROOT, I tried to follow instructions at https://forums.freebsd.org/viewtopic.php?&t=8958 to boot

In message <20050731135919.GA43753@afields.ca>, Allan Fields writes: >Yes, this is all very nice, but when is someone actually going to >commit it? ;) I'm (as always) short of time, and GBDE is not the top priority for me for the time being. So I am more than happy to see people band together and improve gbde. The main work necessary is to polish the userland program and that

Rarely, a geli partition I have freezes a process in bufwait state. It occurs after an ATA timeout message: Aug 5 03:47:13 thor kernel: ad10: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=219028637 The geli partition resides on an Intel MatrixRAID RAID1 mirror using the ICH9R chipset (Asus P5K-E/WIFI). Kill...

Hi. I added possibility to use key files for encrypted provider which are attached on boot. Before only passphrase could be used. I also fixed the tasing code - before it sometimes stopped to taste providers too early, so it was possible that kernel didn't ask for the passphrase. If you had problems with this, you may want to try again. -- Pawel Jakub Dawidek