Date: Wed, 23 Aug 2006 16:07:13 -0700 From: Steve Brown <sdbrown@annular.org> To: questions@FreeBSD.org Subject: Re: Geli questions.. ponderings.. Message-ID: <20060823230713.GA61890@glycine.annular.org> In-Reply-To: <54380.66.209.36.253.1156355078.squirrel@mail.totaldiver.net> References: <54380.66.209.36.253.1156355078.squirrel@mail.totaldiver.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> The idea: I'd like to use geli to encrypt *everything* on the disk. So > if someone (a competitor maybe) removes the disk from the machine, he > can't gain any data off of it easily. I know nothing is 100%, but why > make the process easy for him? It seems like there is a more basic problem here than automating key downloading. If the end-user can boot up the box, then they have an opportunity to interfere with the boot process. The code providing instructions to fetch a remote key would have to be in the clear, in which case the competitor could just use that code to get the remote key (since it would do so automatically on boot, I assume you're not requiring the client to call you for key authorization every time?) and then access the disk. The problem is wanting to automate the decryption process, I think. Steve B.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060823230713.GA61890>