On Tue, Oct 06, 2015 at 08:04:01PM +0800, Mikael wrote: > Aha. So at "-k" time, if there's no key on the keydisk structure already, > it'll make one. So this is how you can use one and the same keydisk for > multiple volumes.
Yes. Per volume you need one disklabel partition of type RAID which you pass to the -k option to configure it as key disk. > I guess by "mask key" you mean "stored encryption key" i.e. the whole point > with the keydisk. The mask key on the key disk decrypts the actual data encryption key which is stored (encrypted with the mask key) in the softraid volume. > Is that one generated by bioctl, or does it just take the bytes that happen > to be at those positions already i.e. zeroes?? Of course the key is generated from entropy. Do you really expect us to consider the contents of left-over disk blocks cryptographically secure? > Also how big should a keydrive be? No docs say. That was definitely in my slides, look again ;-) But I admit that slides don't count as docs.
