From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 21:53:08 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8387616A4CE for ; Fri, 17 Sep 2004 21:53:08 +0000 (GMT) Received: from merke.itea.ntnu.no (merke.itea.ntnu.no [129.241.7.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 105D443D1D for ; Fri, 17 Sep 2004 21:53:08 +0000 (GMT) (envelope-from svein-freebsd-questions@theloosingend.net) Received: from localhost (localhost [127.0.0.1]) by merke.itea.ntnu.no (Postfix) with ESMTP id B77D113C7D3 for ; Fri, 17 Sep 2004 23:51:08 +0200 (CEST) Received: from mirrorball.thelosingend.net (m069c.studby.ntnu.no [129.241.130.69]) by merke.itea.ntnu.no (Postfix) with SMTP for ; Fri, 17 Sep 2004 23:51:08 +0200 (CEST) Received: (qmail 83650 invoked by uid 1001); 17 Sep 2004 21:51:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Sep 2004 21:51:08 -0000 Date: Fri, 17 Sep 2004 23:51:08 +0200 (CEST) From: Svein Halvor Halvorsen X-X-Sender: sveinhal@mirrorball.thelosingend.net To: Jim.Kinsey@nokia.com In-Reply-To: <59A36C4D2F9E7243BEB522274F72C30390B90A@mvebe001.americas.nokia.com> Message-ID: <20040917233831.L76874@mirrorball.thelosingend.net> References: <59A36C4D2F9E7243BEB522274F72C30390B90A@mvebe001.americas.nokia.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Content-Scanned: with sophos and spamassassin at mailgw.ntnu.no. cc: freebsd-questions@FreeBSD.org Subject: Re: Hard drive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 21:53:08 -0000 [Jim.Kinsey@nokia.com, 2004-09-16] > I understand that gbde requests a password before the partition can be > mounted anyway so this simulates the same functionality of PointSEC, > but since it is part of the OS, it seems that if someone has access to > the OS, they could still get in. Is that right? See gbde(4) http://www.freebsd.org/cgi/man.cgi?query=gbde&sektion=4 The objective of this facility is to provide a high degree of denial of access to the contents of a ``cold'' storage device. Be aware that if the computer is compromised while up and running and the storage device is actively attached and opened with a valid pass-phrase, this facility offers no protection or denial of access to the contents of the storage device. If, on the other hand, the device is ``cold'', it should present an formidable challenge for an attacker to gain access to the contents in the absence of a valid pass-phrase. Four cryptographic barriers must be passed to gain access to the data, and only a valid pass-phrase will yield this access. A "cold" device should be understood as a hard drive (or other geom- device) that is not powered on, or that has not yet been opened by a valid pass-phrase. For more info on the four barriers, read the rest of the manual page. GBDE should not be any less secure just because the OS has builtin support for it.