Received: from malur.postgresql.org ([217.196.149.56])
 by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from
 <pgsql-docs-owner+M7715=pgsql+2Ddocs=arkaria.postgresql.org@postgresql.org>)
 id 1UqAgE-0002Ae-DK
 for pgsql-docs@arkaria.postgresql.org; Fri, 21 Jun 2013 23:23:46 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
 by malur.postgresql.org with smtp (Exim 4.80) (envelope-from
 <pgsql-docs-owner+M7715=pgsql+2Ddocs=arkaria.postgresql.org@postgresql.org>)
 id 1UqAgD-0000Jm-Rp
 for pgsql-docs@arkaria.postgresql.org; Fri, 21 Jun 2013 23:23:45 +0000
Received: from makus.postgresql.org ([2001:4800:7903:4::125])
 by malur.postgresql.org with esmtp (Exim 4.80)
 (envelope-from <amvandemore@gmail.com>) id 1UpUsV-0007o0-U9
 for pgsql-docs@postgresql.org; Thu, 20 Jun 2013 02:45:40 +0000
Received: from mail-wg0-x234.google.com ([2a00:1450:400c:c00::234])
 by makus.postgresql.org with esmtp (Exim 4.80)
 (envelope-from <amvandemore@gmail.com>) id 1UpUsS-0006Q0-Jd
 for pgsql-docs@postgresql.org; Thu, 20 Jun 2013 02:45:39 +0000
Received: by mail-wg0-f52.google.com with SMTP id b12so5089123wgh.31
 for <pgsql-docs@postgresql.org>; Wed, 19 Jun 2013 19:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=LD2bSCeaKAysxhxBzt87BciYvrezWvpzkQrQT7DGUjc=;
 b=AsqXYNonXx2eeuhpVk42Ks2AmWqCQUHx36uTPEy9V14mwPgEviwDdqiJ+tSad1x/RK
 2TElzov4+1zCiAy648qseTYKYkEnDsioPAZ/iGCXkF0wH1H08Ub7ZPlqYe/3TVsVqVhO
 w5RzGpBdUMcUhQVZt7UuLVIp9LKpdjBRfzh2KVIoi3iH4E+jTIJ3kElLu4/yYFYy3spU
 R0LU2SHlbJZAIIbZA6eAZHJgoR+hAwyVHRJEmau8XD68Er1ka4CvP0c2HBjsnTIC2hie
 fj0nzCbShdtkFZkMuTSJEMwnLnptgp5dfJjRWQYfbZSgaHz/KDodMMg+fnjDPDAVuQzE
 nzPQ==
MIME-Version: 1.0
X-Received: by 10.194.249.129 with SMTP id yu1mr4363140wjc.10.1371696334556;
 Wed, 19 Jun 2013 19:45:34 -0700 (PDT)
Received: by 10.194.103.41 with HTTP; Wed, 19 Jun 2013 19:45:34 -0700 (PDT)
In-Reply-To: <1371694802.13762.40.camel@vanquo.pezone.net>
References: 
 <CA+tpaK19-Xb5MD7D-EOxJh811OryKZY8tXEVvarRDP--=SbZ4A@mail.gmail.com>
 <1371694802.13762.40.camel@vanquo.pezone.net>
Date: Wed, 19 Jun 2013 21:45:34 -0500
Message-ID: 
 <CA+tpaK3Xshy2FhGQix3tuUYUs49gLYjpYPeXq-o1b-q3PRHwOA@mail.gmail.com>
Subject: Re: Data Partition Encryption documentation
From: Adam Vande More <amvandemore@gmail.com>
To: Peter Eisentraut <peter_e@gmx.net>
Cc: pgsql-docs@postgresql.org
Content-Type: multipart/alternative; boundary=001a11c29996c2d3f004df8cf0b4
X-Pg-Spam-Score: 0.7 (/)
List-Archive: <http://archives.postgresql.org/pgsql-docs>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-docs.postgresql.org>
List-Owner: <mailto:pgsql-docs-owner@postgresql.org>
List-Post: <mailto:pgsql-docs@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-docs>
List-Unsubscribe: <mailto:majordomo@postgresql.org?body=unsub%20pgsql-docs>
X-Mailing-List: pgsql-docs
Precedence: bulk
Sender: pgsql-docs-owner@postgresql.org

--001a11c29996c2d3f004df8cf0b4
Content-Type: text/plain; charset=ISO-8859-1

On Wed, Jun 19, 2013 at 9:20 PM, Peter Eisentraut <peter_e@gmx.net> wrote:

> On Thu, 2013-04-18 at 15:16 -0500, Adam Vande More wrote:
> > On this page
> http://www.postgresql.org/docs/9.2/static/encryption-options.html,
> > "gbde" is listed as the method for encrypting block devices.  While
> > correct, "geli" is a much more appropriate mention as it's a more
> > powerful(e.g. aes-ni support) and secure(more ciphers, data
> > authentication,etc) solution.
>
> Could you provide an updated wording?  (E.g., should we just replace
> gbde by geli, or list both?)
>
>
Sure, here is a change that encompasses more than my original observation.
 Take or leave or modify what you wish.


pseudo diff

-"On Linux, encryption can be layered on top of a file system using a "loopback
device". This allows an entire file system partition to be encrypted on
disk, and decrypted by the operating system. On FreeBSD, the equivalent
facility is called GEOM Based Disk Encryption (gbde), and many other
operating systems support this functionality, including Windows."

+"There are at least two methods of encrypting a file system.  The first is
to use a tool which implements an encrypted file system.  On Linux,
eCryptfs or EncFS
are commonly used for this while FreeBSD uses PEFS.  The other and perhaps
more common method is to encrypt the block device a file system or swap
partition resides on.  These types of solutions can also provide full disk
encryption.  Linux generally uses dm-crypt + LUKS for this functionality
with other options dependent on kernel version/distro.  On FreeBSD, there
are two GEOM modules to encrypt block devices: geli & gbde with geli being
the preferred solution for speed, security, and options.  Many other
operating system have their own method of block device or full disk
encryption."

-- 
Adam Vande More

--001a11c29996c2d3f004df8cf0b4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Wed, Jun 19, 2013 at 9:20 PM, Peter Eisentraut <span di=
r=3D"ltr">&lt;<a href=3D"mailto:peter_e@gmx.net" target=3D"_blank">peter_e@=
gmx.net</a>&gt;</span> wrote:<br><div class=3D"gmail_extra"><div class=3D"g=
mail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div class=3D"im">On Thu, 2013-04-18 at 15:16 -0500, Adam =
Vande More wrote:<br>

&gt; On this page <a href=3D"http://www.postgresql.org/docs/9.2/static/encr=
yption-options.html" target=3D"_blank">http://www.postgresql.org/docs/9.2/s=
tatic/encryption-options.html</a>,<br>
&gt; &quot;gbde&quot; is listed as the method for encrypting block devices.=
 =A0While<br>
&gt; correct, &quot;geli&quot; is a much more appropriate mention as it&#39=
;s a more<br>
&gt; powerful(e.g. aes-ni support) and secure(more ciphers, data<br>
&gt; authentication,etc) solution.<br>
<br>
</div>Could you provide an updated wording? =A0(E.g., should we just replac=
e<br>
gbde by geli, or list both?)<br>
<br>
</blockquote></div><br>Sure, here is a change that encompasses more than my=
 original observation. =A0Take or leave or modify what you wish.</div><div =
class=3D"gmail_extra"><br></div><div class=3D"gmail_extra"><br></div><div c=
lass=3D"gmail_extra">
pseudo diff</div><div class=3D"gmail_extra"><br></div><div class=3D"gmail_e=
xtra"><span style=3D"color:rgb(0,0,0);font-family:verdana,sans-serif;font-s=
ize:12px;line-height:18.234375px">-&quot;On Linux, encryption can be layere=
d on top of a file system using a=A0</span><span class=3D"" style=3D"color:=
rgb(0,0,0);font-family:verdana,sans-serif;font-size:12px;line-height:18.234=
375px">&quot;loopback device&quot;</span><span style=3D"color:rgb(0,0,0);fo=
nt-family:verdana,sans-serif;font-size:12px;line-height:18.234375px">. This=
 allows an entire file system partition to be encrypted on disk, and decryp=
ted by the operating system. On FreeBSD, the equivalent facility is called =
GEOM Based Disk Encryption (</span><acronym class=3D"" style=3D"color:rgb(0=
,0,0);font-family:verdana,sans-serif;font-size:12px;line-height:18.234375px=
">gbde</acronym><span style=3D"color:rgb(0,0,0);font-family:verdana,sans-se=
rif;font-size:12px;line-height:18.234375px">), and many other operating sys=
tems support this functionality, including Windows.&quot;</span><br clear=
=3D"all">
<div><br></div><div><font color=3D"#000000" face=3D"verdana, sans-serif"><s=
pan style=3D"font-size:12px;line-height:18.234375px">+&quot;There are at le=
ast two methods of encrypting a file system. =A0The first is to use a tool =
which=A0implements=A0an encrypted file system. =A0On Linux,=A0eCryptfs</spa=
n></font>=A0or=A0EncFS are commonly used for this while FreeBSD uses PEFS. =
=A0<font color=3D"#000000" face=3D"verdana, sans-serif"><span style=3D"font=
-size:12px;line-height:18.234375px">The other and perhaps more common metho=
d is to encrypt the block device a file system or swap partition resides on=
. =A0These types of solutions can also provide full disk encryption. =A0Lin=
ux generally uses=A0dm-crypt + LUKS for this functionality with other optio=
ns=A0dependent=A0on kernel version/distro. =A0On FreeBSD, there are two GEO=
M modules to encrypt block devices: geli &amp; gbde with geli being the pre=
ferred solution for speed, security, and options. =A0Many other operating s=
ystem have their own method of block device or full disk encryption.&quot;<=
/span></font></div>
<div><br></div>-- <br>Adam Vande More</div></div>

--001a11c29996c2d3f004df8cf0b4--