From owner-freebsd-questions@FreeBSD.ORG Thu Jun 7 14:53:03 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D240916A469 for ; Thu, 7 Jun 2007 14:53:03 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6BA7213C468 for ; Thu, 7 Jun 2007 14:52:58 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id 18D27DF702; Thu, 7 Jun 2007 16:49:48 +0200 (CEST) Date: Thu, 7 Jun 2007 16:54:31 +0200 From: cpghost To: Eric F Crist , freebsd-questions@freebsd.org Message-ID: <20070607145431.GA65146@epia-2.farid-hajji.net> References: <905f1be0706060528p3217f614he29a7d4b33ac01dc@mail.gmail.com> <20070606170044.GA59161@slackbox.xs4all.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070606170044.GA59161@slackbox.xs4all.nl> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: Subject: Re: GEOM/GELI Boot Disk Encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jun 2007 14:53:03 -0000 On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: > On Wed, Jun 06, 2007 at 07:28:48AM -0500, Eric F Crist wrote: > > I'm trying to take a system that already has a running freebsd system (or I > > can start over), and make the entire system encrypted. I've found > > instructions (freebsd manual) for creating secondary disks, but not the boot > > disk in particular. > > > > Can anyone point me in the right direction? > > Personally, I wouldn't bother encrypting anything but your own data, > i.e. /home. And for backup purposes it's better to make a seperate slice > for that anyway. You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in addition to /home. Most userland programs can leak sensitive date there that you'd rather have encrypted too. Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, /var/db/mysql, mail spool directories and some such), and maybe /var/log as well. Encrypting the complete /var filesystem is easier though... Some ports also use /usr/local/www to store user-specific data, but what's the point of encrypting this? ;-) > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/