-j option several times ?

[benrubson]

Hello,

On my server, I would like to have a PEFS directory protected by both a user password and another secret owned by the server itself.

So here is what I did :
echo userpassword | pefs add chain -j - -k /my/server/secret -Z -f /private.enc/

However, here you wrote :
PEFS key may be split into several components by using -k option, but note that -k assumes that input file is already a key, thus skipping pbkfd2 transform performed for passwords.

So I think I should do :
echo userpassword | pefs add chain -j - -j /my/server/secret -Z -f /private.enc/

Sounds like it works, however my question is, can we use -j (and -J) several times ?
Is it a supported use case ?

Perhaps you could clarify this into the man page ?

Gleb, thank you very much !

Ben

[glk]

Both multiple -j and -k options are supported (as well as combination of them).

To be compatible with geli password file content is truncated at first new line character. E.g.

echo "foo1\nfoo2" > jfile1
echo "bar" | pefs -j - -j jfile1

is equivalent to

echo "barfoo1" | pefs -j -

I don't know on what grounds decision in geli has been made to exhibit such behavior.

At a high level (with details omitted for clarity) key derivation procedure in pefs is the following:

KEY = SHA512(RAW_KEY_MATERIAL)
RAW_KEY_MATERIAL = KEYFILE1 || KEYFILE2 || .. || KEYFILEN || PBKDF2(RAW_PASSWORD_MATERIAL)
RAW_PASSWORD_MATERIAL = PASSFILE1 || PASSFILE2 || .. || PASSFILEN || PASSPROMPT

PASSPROMPT is the password entered by user on console.
Some of the KEYFILE*, PASSFILE* and PASSPROMPT may be optional depending on the command line options.

In other words:

• Processing password sources (raw password material) with PBKDF2 produces another raw key material source.
• Multiple raw key material sources are used as input for hash function to produce the actual key.

[benrubson]

Gleb,

Perfect, thank you very much for your answer !

Ben

I think you can now close this request