# How secure is my GELI?



## Outis (Oct 28, 2012)

I've used the PC-BSD installer to install FreeBSD 9.0 on a GELI encrypted ssd because I didn't know how to install FreeBSD with GELI with the FreeBSD installation disk and I was too lazy to figure it out. Now I've been wondering: how secure is the GELI configuration I'm using? My password is very long and totally random, so this shouldn't be an issue, but I have no idea what encryption algorithm I'm using and whether or not the PC-BSD installer did everything right.

Does anyone have some experience in the field? What kind of information can I get from GELI about my encryption?


----------



## gordon@ (Oct 28, 2012)

I would recommend reading through the geli(8) man page to figure out the information that you are looking for.


----------



## danvari (Oct 29, 2012)

I would guess PC-BSD is using the defaults: AES-XTS 128bit with 512 byte sector size and as far as I know PC-BSD is only encrypting /usr/home. Do not think 128bit is weak or anything, a 128bit key is much stronger than a 256bit key (refer to 'related key attack' in 2011). So if encrypting your user data is enough for you that will be ok. I am encrypting / and leave /boot unencrypted, but in praxis I don't gain any benefits.


----------



## sossego (Oct 31, 2012)

If you keep the lid on tight, place it in the fridge, close the fridge door, and lock up your house. then your geli will remain secure and fresh.


----------

