Hi. geli(8) from FreeBSD-CURRENT is not able to perform data integrity verification (data authentication) using one of the following algorithms: - HMAC/MD5 - HMAC/SHA1 - HMAC/RIPEMD160 - HMAC/SHA256 - HMAC/SHA384 - HMAC/SHA512 One of the main design goals was to make it reliable and resistant to power failures or system crashes. This was very important to commit both data update and HMAC update as an atomic operation to the disk, so users don't have to fight with false positives. Even with data authentication enabled, geli(8) should still be fast - to provide the reliability I'm talking on internal journal or other complex mechanisms are used. It is still sector-to-sector encryption. If someone is interested in the data layout itself, it is described in the sys/geom/eli/g_eli_integrity.c file. Before you use this feature, please read "DATA AUTHENTICATION" section in the geli(8) manual page, to learn against which kind of attacks geli(8) can protect your data and against which it can not. While working on this, I improved crypto(9) framework a bit and various drivers. At this point, all crypto accelerators, which we support should work with geli(8) (ubsec(4), hifn(4), safe(4), padlock(4)), also with data authentication functionality. Enjoy! <commercial> The work was sponsored by Wheel LTD. [http://www.wheel.pl], creator of authentication system - CERB - which allows to use mobile phone/device in two-factor authentication process. </commercial> -- Pawel Jakub Dawidek http://www.wheel.pl pjd_at_FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC