Date: Fri, 16 Jan 2009 18:53:18 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Marco <ilikefbsd@web.de> Cc: freebsd-questions@freebsd.org Subject: Re: Runtime de/encryption Message-ID: <20090116175318.GA73625@slackbox.xs4all.nl> In-Reply-To: <497092C6.7030905@web.de> References: <497092C6.7030905@web.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 16, 2009 at 02:59:34PM +0100, Marco wrote: > Hello List, >=20 > i'am using the geom framework for quite a time. I'am happy about > gbde/geli implementations(beside the race condition in geli) however, i > wonder since some time, as the data may get > exposed on a running server(as the partitions decrypted)=20 On-disk encryption is not meant to secure access on a running machine. File and directory contents are only decrypted in memory, not on disk when you read them. You should use normal file permissions and possibly ACL's to restrict access to mounted filesystems. There are of course data structures in the kernel that contain decrypted information about the volume. But if an attacker can grab that info from a running kernel you've got bigger problems... > is there a way > to do some kind of runtime de/encyrption, with keys? so that only > special users with the right handle can encrypt or decrypt data? so > talking about another filesystem layer... I don't think there is something like that can be easily done. You'd have to alter the semantics of systems calls like open(2) and read(2) to use passwords. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAklwyY4ACgkQEnfvsMMhpyW8aACglYwcnhDd2cp9eOS2N7+UX+ev MKEAnAzqyt+YDN5KxtyvETTLdYdYnq6S =T3zJ -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090116175318.GA73625>