From owner-freebsd-current@FreeBSD.ORG Fri Jul 29 13:42:46 2005 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4452916A41F for ; Fri, 29 Jul 2005 13:42:46 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id B443D43D45 for ; Fri, 29 Jul 2005 13:42:45 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 60DDBACAEE; Fri, 29 Jul 2005 15:42:44 +0200 (CEST) Date: Fri, 29 Jul 2005 15:42:44 +0200 From: Pawel Jakub Dawidek To: Eric Anderson Message-ID: <20050729134244.GM609@darkness.comp.waw.pl> References: <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch> <42E981B9.5060500@datacomm.ch> <20050729103655.GG609@darkness.comp.waw.pl> <42EA205B.2000907@cytexbg.com> <42EA2EFE.3030800@centtech.com> <20050729133324.GL609@darkness.comp.waw.pl> <42EA311F.1020902@centtech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5V5c01chtBAiSHoy" Content-Disposition: inline In-Reply-To: <42EA311F.1020902@centtech.com> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 Cc: current@FreeBSD.org Subject: Re: GELI - disk encryption GEOM class committed. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 13:42:46 -0000 --5V5c01chtBAiSHoy Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 29, 2005 at 08:37:35AM -0500, Eric Anderson wrote: +> Hmm - is that really true? How can one decrypt the root partition data= =20 +> without the key, but with the kernel and modules? It seems that if that= =20 +> is a problem, than encrypting any partition without the kernel/modules= =20 +> encrypted would be the same scenario. +>=20 +> I think there still is benefit in encrypting the root, but not /boot. I prefer method below: - put decrypted /boot/ directory onto small file system on your USB Pen-Dri= ve or CD-ROM, - set booting from USB/CD-ROM in your BIOS, - boot from Pen-Drive/CD-ROM, - GELI will ask your for the passphrase before root file system is mounted, - enter passphrase, - root parition is decrypted and mounted, - remove your Pen-Drive/CD-ROM. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --5V5c01chtBAiSHoy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFC6jJUForvXbEpPzQRAnksAJ9pAyHvVKGbLaqbFlcwFIq3V42p4ACg9h2X FGsoGs8d9cl85F58G+3SEB4= =VYST -----END PGP SIGNATURE----- --5V5c01chtBAiSHoy--