# gbde vs geli



## mah454 (Aug 6, 2013)

Hello.

I want to build an embedded operating system (NanoBSD) over a FreeBSD distribution. I do not know whether for full disk encryption (all filesystems) I should use gdbe or geli. What method is better?


----------



## fonz (Aug 6, 2013)

As far as I know gdbe does not allow encryption of the root filesystem. So for full encryption you'll almost certainly want geli. See this section of the FreeBSD Handbook or the various tutorials posted on these forums.


----------



## blazingice (Aug 6, 2013)

geli is a favored choice if you are going to use zfs.

It is worth considering pefs too.

I was just reading from PC-BSD forum the reasons why they are moving away from geli and introducing pefs only for some directories. One of the main reasons is that encrypting the whole system with geli is not that safe. It is possible to crack the encryption based on known size or checksum of standard directories such as /usr/src. So encrypting only unique directories might be safer. Hence pefs is a better solution. The other benefit is backup. With pefs you can backup files without having to decrypt them. I don't think you can do that with geli.


----------



## graudeejs (Aug 6, 2013)

blazingice said:
			
		

> The other benefit is backup. With pefs you can backup files without having to decrypt them. I don't think you can do that with geli.



You can make whole disk backups with dd (just make sure you have your keys and GELI metadata backed up as well)  You don't even need to attach GELI. Downside: quite inefficient.

`# dd if=/dev/encrypted_unattached_disk of=/dev/stdout bs=64M | xz > compressed_encrypted_disk_image.xz`


----------



## mah454 (Aug 7, 2013)

The system asks me for a password to open the file system. Can I use file.key instead of a password? (do not use password)

```
if [ -f file.key ] ; then
    echo "Open and mount FileSystem"
fi
```


----------



## Monoecus (Aug 7, 2013)

One advantage of GELI over GBDE is that GELI can use a hardware random number generator like HIFN.


----------



## fonz (Aug 7, 2013)

mah454 said:
			
		

> Can I use file.key instead of a password?


GELI can be set up to use key files _and/or_ passwords, if that's what you mean. See the -p, -P, -k and -K options for `geli init` and `geli setkey`, as described in geli(8).


----------



## graudeejs (Aug 7, 2013)

blazingice said:
			
		

> It is worth considering pefs too.



Thanks for sysutils/pefs-kmod. I didn't know about that.


----------

