Re: Data Partition Encryption documentation

On Wed, Jun 19, 2013 at 9:20 PM, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:

> On Thu, 2013-04-18 at 15:16 -0500, Adam Vande More wrote:
> > On this page
> http://www.postgresql.org/docs/9.2/static/encryption-options.html,
> > "gbde" is listed as the method for encrypting block devices. While
> > correct, "geli" is a much more appropriate mention as it's a more
> > powerful(e.g. aes-ni support) and secure(more ciphers, data
> > authentication,etc) solution.
>
> Could you provide an updated wording? (E.g., should we just replace
> gbde by geli, or list both?)
>
>
Sure, here is a change that encompasses more than my original observation.
Take or leave or modify what you wish.

pseudo diff

-"On Linux, encryption can be layered on top of a file system using a "loopback
device". This allows an entire file system partition to be encrypted on
disk, and decrypted by the operating system. On FreeBSD, the equivalent
facility is called GEOM Based Disk Encryption (gbde), and many other
operating systems support this functionality, including Windows."

+"There are at least two methods of encrypting a file system. The first is
to use a tool which implements an encrypted file system. On Linux,
eCryptfs or EncFS
are commonly used for this while FreeBSD uses PEFS. The other and perhaps
more common method is to encrypt the block device a file system or swap
partition resides on. These types of solutions can also provide full disk
encryption. Linux generally uses dm-crypt + LUKS for this functionality
with other options dependent on kernel version/distro. On FreeBSD, there
are two GEOM modules to encrypt block devices: geli & gbde with geli being
the preferred solution for speed, security, and options. Many other
operating system have their own method of block device or full disk
encryption."

--
Adam Vande More