# [GELI] How big should a keyfile be?



## fonz (Dec 19, 2009)

Sorry if this is a FAQ but I couldn't find it in geli(8) nor the Handbook nor on this forum.

When encrypting a disk/partition with geli using both a password and a keyfile, how big should the keyfile be? And is there a relation to the key length as specified by the -l option to the geli init command?

In concreto: suppose you do the following:
`# dd if=/dev/random of=/somewhere/keyfile [red]bs=X[/red] count=1`
`# geli init -e Blowfish [red]-l 256[/red] -b -s 4096 /dev/somedisk`
What should [red]X[/red] be?

Thanks in advance,

Alphons


----------



## honk (Dec 19, 2009)

From my understanding, the password (better passphrase) and the key-file is used to decrypt the master key.

Encryption/Decryption of the "disk" is always done using this master key with the symmetric algorithm you specified (Blowfish). The -l option to geli init defines the length of that master key, so it is not related to the length of your key-file. This means your key-file could have lengths of lets say 256kbyte, which extends your passphrase.

cheers,
honk


----------

