From owner-freebsd-questions@FreeBSD.ORG Wed Oct 24 17:40:29 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 069A216A46D for ; Wed, 24 Oct 2007 17:40:29 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 9A3A013C48D for ; Wed, 24 Oct 2007 17:40:28 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id E364845F66; Wed, 24 Oct 2007 19:40:16 +0200 (CEST) Received: from localhost (public-gprs75260.centertel.pl [91.94.167.76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 9A3E3456AB; Wed, 24 Oct 2007 19:39:48 +0200 (CEST) Date: Wed, 24 Oct 2007 19:38:58 +0200 From: Pawel Jakub Dawidek To: Daniel Marsh Message-ID: <20071024173858.GA1119@garage.freebsd.pl> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <20071022174629.GA1118@garage.freebsd.pl> <1799.208.70.104.211.1193103682.squirrel@webmail.ibctech.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: Steve Bertrand , freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 17:40:29 -0000 --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote: > Even if all data on a drive is encrypted, the partition table is not. > Software based disk encryption works on partitions. That's not true. One can configure full disk encryption using GELI. To do it you need to have a small USB pen-drive or CD-ROM with /boot/ directory, but that's all you need. Then you actually boot from your unencrypted pen-drive, but mount all file systems from encrypted disk. The pen-drive is not needed for your system to run and you can be easly take it with you, which is not always the case for your laptop. > How far into the boot sequence do you get before your system crashes with= out > the key present? > I would assume as far as reading the / partition to get the kernel etc... >=20 > It would have read the partition table and the boot loader, known which > partition was the "active" partition and tried booting it. >=20 > Now, to identify what OS this disk has on it you can check the partition > table and see what "type" has been set for each slice/partition. > You will be able to see that there is a BSD style slice on the disk just = by > running `fdisk /dev/mystolendiskdevice` > You now know it's a BSD OS, you could then make a guess as to what version > of BSD by the type of machine it was taken from, based on what hardware is > supported by each BSD. >=20 > I believe their slices and layout are identical but the file systems diff= er. >=20 > The person with your disk could then start trying to determine what kind = of > disk encryption is in place. That's all irrelevant. Security of GELI (or any sane cryptographic system) doesn't depend on secrecy of algorithms used. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHH4MxForvXbEpPzQRAhe2AKCNLikEUlPB/s3PguNOugFt0qfgpgCgrrhv mlH66sTt4Dr47U3puGx8Xqw= =cr73 -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD--