I want to build an embedded operating system (NanoBSD) over a FreeBSD distribution. I do not know whether for full disk encryption (all filesystems) I should use gdbe or geli. What method is better?
As far as I know gdbe does not allow encryption of the root filesystem. So for full encryption you'll almost certainly want geli. See this section of the FreeBSD Handbook or the various tutorials posted on these forums.
geli is a favored choice if you are going to use zfs.
It is worth considering pefs too.
I was just reading from PC-BSD forum the reasons why they are moving away from geli and introducing pefs only for some directories. One of the main reasons is that encrypting the whole system with geli is not that safe. It is possible to crack the encryption based on known size or checksum of standard directories such as /usr/src. So encrypting only unique directories might be safer. Hence pefs is a better solution. The other benefit is backup. With pefs you can backup files without having to decrypt them. I don't think you can do that with geli.
You can make whole disk backups with dd (just make sure you have your keys and GELI metadata backed up as well) You don't even need to attach GELI. Downside: quite inefficient.
GELI can be set up to use key files and/or passwords, if that's what you mean. See the -p, -P, -k and -K options for geli init and geli setkey, as described in geli(8).
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
You don't even need to attach GELI. Downside: quite inefficient.
