On Mon, 19 Oct 2015 06:19:30 +0200 O. Hartmann wrote: > When I looked for FreeBSD's encryption, I stopped by GELI. Because of > it's easy-to-use AND the 'experimental' tag in the handbook! > > For me, I'd like to know what is the benefit/performance of each > technique and a clear preparation of each ones advantages over the > other. IIRC gbde allows the passphrase to be verified even after the master-keys have been deleted. The point is to demonstrate that the passphrase is not being withheld, and the data unrecoverable. AFAIK that's the only advantage it has over geli. geli supports hardware acceleration, it's faster in software too. It's more resistant to dictionary/brute force attacks against the passphrase because of its PKCS #5 support. It supports a wider range of options and ciphers/modes. And though it's newer, it's undoubtedly had far more user-hours of use. Also I don't remember the details, but I think there's an operation that's atomic in geli, but not in gbde, that gives gbde a greater risk of data corruption. I certainly wouldn't like to see gbde removed but I think it is unfortunate that it's given slightly greater prominence in the handbook than geli. geli is the right choice for most people.Received on Mon Oct 19 2015 - 20:49:01 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC