> Few months ago I started work on another (besides GBDE) disk encryption > GEOM class. This is very nice! > GELI is different than GBDE. It offers different features, but it also > use different scheme for doing crypto work. I tried to find out what exactly the differences are. Please correct me where I'm wrong: Encryption Strength: GBDE - Uses AES128 for data encryption, with a different key per sector. Master key is encrypted using AES256 and stored on 4 random locations on the disk. Access key is SHA2/512bit hashed. GELI - Supports AES, Blowfish, 3DES for data encryption, with a different key per sector. Access key is PKCS #5 protected. (What does this mean regarding a brute force attack?) Access Keys: GBDE - There are 4 independent access keys. With each key, it is possible to revoke any other. GELI - There are 2 independent access keys. Presumably each key can revoke the other. Keys can exist of multiple parts or be one time keys. Speed: GBDE - Runs in software. GELI - Support for crypto(9) hardware. Blowfish is faster than AES. Booting from Encrypted Root: GBDE - Doesn't say, probably doesn't work GELI - Works. How'd one load the kernel from an encrypted root though? The GBDE manpage warns that the on-disk format might be changed in the future. What about GELI? It'd be unpleasant to upgrade the OS and then find out that the encrypted volume is no longer accessible. How much throughput can one expect in practice, say, compared to the numbers in "openssl speed"? Cheers Benjamin
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:40 UTC