How secure is my GELI?

[Outis]

I've used the PC-BSD installer to install FreeBSD 9.0 on a GELI encrypted ssd because I didn't know how to install FreeBSD with GELI with the FreeBSD installation disk and I was too lazy to figure it out. Now I've been wondering: how secure is the GELI configuration I'm using? My password is very long and totally random, so this shouldn't be an issue, but I have no idea what encryption algorithm I'm using and whether or not the PC-BSD installer did everything right.

Does anyone have some experience in the field? What kind of information can I get from GELI about my encryption?

 

[gordon@]

I would recommend reading through the geli(8) man page to figure out the information that you are looking for.

 

[danvari]

I would guess PC-BSD is using the defaults: AES-XTS 128bit with 512 byte sector size and as far as I know PC-BSD is only encrypting /usr/home. Do not think 128bit is weak or anything, a 128bit key is much stronger than a 256bit key (refer to 'related key attack' in 2011). So if encrypting your user data is enough for you that will be ok. I am encrypting / and leave /boot unencrypted, but in praxis I don't gain any benefits.

 

[sossego]

If you keep the lid on tight, place it in the fridge, close the fridge door, and lock up your house. then your geli will remain secure and fresh.