Re: Depreciate and remove gbde

From: Maxim Sobolev <sobomax_at_FreeBSD.org>
Date: Sat, 24 Oct 2015 11:57:17 -0700
For what's worth we are using modded GBDE in one of the products to provide
copy protection for the firmware and encryption of user's data. GELI is
nice, but it's way much more end-user oriented. Also GBDE code is very
stable, which may look bad from somebody using it to protect his pr0n
collection, but from the PoV of us as ISV we have very little trouble
porting our changes from FreeBSD 6 that we've started with originally to 7,
8, 9 and the FreeBSD 11 today. I would be really sorry to see it nuked from
the FreeBSD without any good technical reason. Just my CAD0.02c.

On Sat, Oct 24, 2015 at 8:58 AM, Julian H. Stacey <jhs_at_berklix.com> wrote:

> > >If you want a secure filesystem I think that at this particular time
> > >it would be entirely reasonable to use both gbde and geli stacked on
> > >top of each other[...]
>
> I've often wondered if multiple encryption (CPU permitting) is sensible in
> case one day some method is cracked but another stays secure.
> There's been recent discussions on cracking algorithms at
>  http://lists.gnupg.org/pipermail/gnupg-users/2015-October/054586.html
>
> I see man geli has:
>         Supports many cryptographic algorithms (currently AES-XTS,
>         AES-CBC, Blowfish-CBC, Camellia-CBC and 3DES-CBC).
> NAME section of man 1 gbde & geli both ref. GEOM.
> Skimming man 1 4 8 gbde geom I'm not sure how gbde compares.
>
>
> > Nobody is going to break through the GELI or GBDE crypto, they'll
> > find their way to the keys instead, or more likely, jail you until
> > you sing.
>
> Yes, if 'they' are physicaly present government, criminals etc.
>
> Encryption (& perhaps multiple encryption) is nice against eg
> - sneak thieves/ industrial spies/ remote hostile governments,
> - where one must sometimes share root with others.
> - scanners remote or local
>    (Scanners could be hidden in BLOBs. Anyone else worry how many
>    binary BLOBs are in FreeBSD, especially ports/ ?  I started a
>    list a couple of years back, got scared how many, then stopped
>    after I realised a list was not maintainable & better to add a
>    BLOB_HAZARD= label to ports Makefiles, but no one seemed interested ).
> - Casual physical loss:
>   - My brother's USB stick fell off its plastic retainer to key ring,
>     picture: http://www.conrad.de/ce/de/product/417197/
>   - Small shiney USB sticks on desk could be attractive like jewelery
>     to birds such as magpies (`Elster' fly here, I stopped one thieving
>     a shiney foil wrapped bar, a lot heavier & bigger than a USB stick).
>
> My data is long encrypted, I'll buy phk_at_ a beer if we meet somewhere :-)
>
> Cheers,
> Julian
> --
> Julian Stacey,  BSD Linux Unix Sys. Eng. Consultant Munich
> http://berklix.com
>  Reply After previous text to preserve context, as in a play script.
>  Indent previous text with >            Insert new lines before 80 chars.
>  Use plain text, Not quoted-printable, Not HTML, Not base64, Not MS.doc.
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>
>
Received on Sat Oct 24 2015 - 16:57:20 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC