From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 19:19:02 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A613216A4CE for ; Fri, 17 Sep 2004 19:19:02 +0000 (GMT) Received: from lists.freedombi.com (epicprofiles.com [207.179.98.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36DD943D58 for ; Fri, 17 Sep 2004 19:19:02 +0000 (GMT) (envelope-from charles@idealso.com) Received: by lists.freedombi.com (Postfix, from userid 1000) id 2A23972FAA; Fri, 17 Sep 2004 15:19:01 -0400 (EDT) Received: from freedombi.com (localhost [192.168.10.108]) by lists.freedombi.com (Postfix) with SMTP id 2FFAB72F87; Fri, 17 Sep 2004 15:18:59 -0400 (EDT) Received: from 24.11.146.21 (SquirrelMail authenticated user charles) by freedombi.com with HTTP; Fri, 17 Sep 2004 15:18:59 -0400 (EDT) Message-ID: <46000.24.11.146.21.1095448739.squirrel@freedombi.com> In-Reply-To: <59A36C4D2F9E7243BEB522274F72C30390B90A@mvebe001.americas.nokia.com> References: <59A36C4D2F9E7243BEB522274F72C30390B90A@mvebe001.americas.nokia.com> Date: Fri, 17 Sep 2004 15:18:59 -0400 (EDT) From: "Charles Ulrich" To: Jim.Kinsey@nokia.com User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on freedombi.com X-Spam-Level: X-Spam-Status: No, hits=-3.7 required=7.0 tests=BAYES_00,PRIORITY_NO_NAME autolearn=no version=2.63 cc: freebsd-questions@freebsd.org Subject: Re: Hard drive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 19:19:02 -0000 Jim.Kinsey@nokia.com said: > > > Hello, > > I am writing to inquire about a hard drive encryption software that is > compatible with FreeBSD. We have been using PointSEC with windows and am > looking for a similar solution for FreeBSD. I see you have GEOM Based Disk > Encryption (gbde) Which I have read about on your web site, but the folks > here are resistant to using it and are asking for a 3rd party solution that is > separate from the OS. I don't know what third-party disk encryption services there are available for FreeBSD nor do I know what the status of gbde is currently, but there is no inherent reason that a third-party encryption service would be any more stable or robust than one that's built into the OS. In fact, I'd argue just the opposite, as the people who wrote gbde also work on related parts of the FreeBSD kernel and nearly all of the core FreeBSD developers are well-known for their ability to design and write quality, stable code. They would also be the first ones to notice a change to the kernel that would adversely effect gbde and probably also the first ones to fix such a problem. > Do you have anything in mind? I understand that gbde > requests a password before the partition can be mounted anyway so this > simulates the same functionality of PointSEC, but since it is part of the OS, > it seems that if someone has access to the OS, they could still get in. Is > that right? No, otherwise there would be no point in encrypting the data on the disk. Encryption means that even if someone were to get their hands on the physical disk (which is always considered the worst-case scenario, from a security standpoint) and read all of the data off it, they could never use it to gain any information since the data would appear scambled unless they decrypted it with the appropriate key (the password, in this case). In other words, it's not the operating system that allows/disallows access to an ecrypted disk, it's the mathematical encryption algorithms. Similarly, disk encryption has nothing to do with allowing/disallowing access to the system, only its data. -- Charles Ulrich System Administrator Ideal Solution - http://www.idealso.com