# GELI vs. dm-crypt/LUKS



## gofer_touch (Dec 20, 2015)

Is there anyone who might be able to shed a bit of light as to why GELI seems to just be a FreeBSD disk encryption tool rather than a *BSD disk encryption tool?

I discovered some time ago that a Truecrypt compatible layer for full disk encryption was written from the ground up to be BSD-licensed for use on Dragonfly and now OpenBSD seems to also be in the process of testing it for their use. http://www.bsdnow.tv/episodes/2015_05_27-vox_populi

Are there major reasons as to why GELI wasn't considered?


----------



## Beastie7 (Dec 20, 2015)

Because GELI is part of the GEOM framework in FreeBSDs disk subsystem. As such, is it a FreeBSD only technology.


----------



## gofer_touch (Dec 20, 2015)

Ah. Thanks for that clarification.


----------



## Oko (Dec 20, 2015)

gofer_touch said:


> Is there anyone who might be able to shed a bit of light as to why GELI seems to just be a FreeBSD disk encryption tool rather than a *BSD disk encryption tool?


While I am not familiar with historical facts regarding the development of GELI this is by no means unique case. FreeBSD bsnmp daemon in spite its sounding is not used on other BSDs and as a matter of fact is far inferior peace of code to OpenBSD implementation of SNMP daemon (FreeNAS just uses net-snmp which irritates the bones out of me). Linux uses net-snmp.



gofer_touch said:


> I discovered some time ago that a Truecrypt compatible layer for full disk encryption was written from the ground up to be BSD-licensed for use on Dragonfly and now OpenBSD seems to also be in the process of testing it for their use. http://www.bsdnow.tv/episodes/2015_05_27-vox_populi
> 
> Are there major reasons as to why GELI wasn't considered?


I am confused why are you talking about Truecrypt and dm-crypt/LUKS in one sentence. These are completely unrelated things. Truecrypt was de-facto standard Windows specific encryption used by U.S. government agencies so if you were doing any contracting work for them it was
very convenient to have it. Truecrypt was running on Linux but Linux had also its own clone Realcrypt. Both products were border line usable and I have used them with mixed success for large drives. I have never tried to use DragonFly implementation of Truecrypt but once upon time it was on my todo list.

LUKS is Linux crypto discipline. I don't know the details how DragonFly got LUKS but they also have Linux LVM which is HAMMER unaware so not very useful at all. I have not used LUKS on DF but IIRC there is an option to encrypt root partition in the installer which utilizes LUKS. I thank you for the link for BSD now episode from May of 2015. After reading the summary  I carefully went back and forth through CVS commits for OpenBSD to see what is going on. I was very surprised hearing about LUKS and OpenBSD in one sentence. This is what I found out

http://marc.info/?l=openbsd-tech&m=143247114716771&w=2

if you read the threat furtherer you will see that the patch was rejected and OpenBSD has no use case for LUKS unlike OP. The patch was really a patch for OpenBSD softraid to enable quick dirty access to LUKS shares. The OP obviously sharing disk between OpenBSD and Linux. That is not a compelling reason to have support for LUKS in sortraid driver.

Finally since this is FreeBSD forum I see nothing wrong with GELI. What FreeBSD is missing is the native crypto discipline for ZFS like Solaris have but that is a whole another story.


----------



## kpa (Dec 20, 2015)

There are lot of seemingly similar crypto subsystems around there and the natural thought is of course if they could be unified to a single all-encompassing system. The problem is really that all of these systems such as GELI are heavily reliant on the underlying framework/infrastructure such as GEOM on FreeBSD and few other system dependent kinks. I can imagine someone trying to rewrite GELI to be portable to other BSDs but giving up quickly when it becomes clear that the GEOM methodology of doing things is incompatible with what is done in for example OpenBSD's softraid.


----------

