From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 14 01:59:33 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 38B8D16A41C
	for <freebsd-questions@freebsd.org>;
	Thu, 14 Jul 2005 01:59:33 +0000 (GMT) (envelope-from on@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 43E5743D46
	for <freebsd-questions@freebsd.org>;
	Thu, 14 Jul 2005 01:59:31 +0000 (GMT) (envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id j6E1xO5P040330
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 14 Jul 2005 08:59:24 +0700 (ICT)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.13.1/8.12.11) id j6E1xOji020257;
	Thu, 14 Jul 2005 08:59:24 +0700 (ICT)
Date: Thu, 14 Jul 2005 08:59:24 +0700 (ICT)
Message-Id: <200507140159.j6E1xOji020257@banyan.cs.ait.ac.th>
From: Olivier Nicole <on@cs.ait.ac.th>
To: alexandre.delay@free.fr
In-reply-to: <1121252743.42d4f587ada2c@imp4-q.free.fr>
	(alexandre.delay@free.fr)
References: <1121252743.42d4f587ada2c@imp4-q.free.fr>
X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/)
Cc: freebsd-questions@freebsd.org
Subject: Re: securing FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2005 01:59:33 -0000

> or by setting the actual hdd to secondary and plug an other primary
> hdd

Once the hardware is compromised, it is really tricky to keep secure.

If you cannot protect your hardware (secure room) then your hard disk
has to auto protect itself: encrypt the data, and have no saved
password on the disk itself (means you will have to enter a passphrase
each time your disk is mounted).

I'd have 2 physical disks, one for the system and one for the
data. The system disk is cleartext, the data is encrypted. And I'd
have the private key on a removable device (like USB for exeample).

Be sure that your system does not dump any memory image in case of
panic.

Another solution (expensive and only valid for a limited amount of
data) have a RAM disk (and secure your electric power supply). An
intruder would have to turn off the power to grab the memory. Doing so
he would delete the data... Depends what is your level of paranoia :)

Olivier