On Sat, Sep 15, 2018 at 12:18 PM, RW via freebsd-geom < freebsd-geom@freebsd.org> wrote:
> On Fri, 14 Sep 2018 17:55:58 -0700 > Lee Brown wrote: > > > I want to create a geli provider as authentication only, no password, > > no encryption. I do: > ... > > Instead: > > # echo " " > /tmp/key > > solves that issue, but I still don't get why I even need a key file > > with -e NULL? > > Because HMAC itself needs an encrypted secret key, otherwise anyone > could write to the device without it being detectable. > > Without a securely entered passphase, or a passfile on removable media, > HMAC doesn't provide any authentication, it just detects bitrot and > naive attempts to modify the filesystem. > > Thanks for the explanation, in retrospect I should have read up on HMAC. That's precisely my use-case data integrity verification only. I'm building a RAID1 gmirror on top of 2 geli providers, so if a disk rots it's detected. Now I just need to test how the gmirror reacts when the underlying geli faults. Much appreciated -- lee _______________________________________________ freebsd-geom@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "freebsd-geom-unsubscr...@freebsd.org"
