From owner-freebsd-questions@FreeBSD.ORG Fri Jun 8 12:16:48 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B041316A41F for ; Fri, 8 Jun 2007 12:16:48 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id EC7C313C45A for ; Fri, 8 Jun 2007 12:16:47 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: by py-out-1112.google.com with SMTP id a29so1211478pyi for ; Fri, 08 Jun 2007 05:16:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=F84cyV/XIn15yuMkuXqXGvwrtMInpNWzsLpiFn5CPbAwMmx+v9rf8Y/Y3dk9r622vYr34qnwNVAzFDnRd7HTOXG94GaD6sWecMofOdXktEG80iMfvfImi+2GPN65qoRWK2RAX3N8V31VjJUi9FuXlNq/vYOPqpluFed/AUQ9OQM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=JBWzuSyv6Mt0uWgxZD78c66NzaUd6i+9Ny9lRUs105hPyI5fSlQmmeS4qB47fAJe932SH27ePv9z4uvMJb6wfP/InbTKiB4mGfr6XPdmaDYt/QziWtP11zQaGGdDhTBR/n8iik4rYWn0bJSFX/R/ZCFJJkuzajtIYeS8eSvQ5mU= Received: by 10.35.98.3 with SMTP id a3mr3807623pym.1181305007265; Fri, 08 Jun 2007 05:16:47 -0700 (PDT) Received: from ?10.0.0.14? ( [74.95.66.25]) by mx.google.com with ESMTP id y78sm2592104pyg.2007.06.08.05.16.46 (version=SSLv3 cipher=OTHER); Fri, 08 Jun 2007 05:16:46 -0700 (PDT) In-Reply-To: <20070607145431.GA65146@epia-2.farid-hajji.net> References: <905f1be0706060528p3217f614he29a7d4b33ac01dc@mail.gmail.com> <20070606170044.GA59161@slackbox.xs4all.nl> <20070607145431.GA65146@epia-2.farid-hajji.net> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <191E5B74-1CED-44B7-8DEA-9BEB4741FC5D@gmail.com> Content-Transfer-Encoding: 7bit From: Eric Crist Date: Fri, 8 Jun 2007 07:16:44 -0500 To: cpghost X-Mailer: Apple Mail (2.752.3) Cc: freebsd-questions@freebsd.org Subject: Re: GEOM/GELI Boot Disk Encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2007 12:16:48 -0000 On Jun 7, 2007, at 9:54 AMJun 7, 2007, cpghost wrote: > On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: > You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, > and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in > addition to /home. Most userland programs can leak sensitive date > there > that you'd rather have encrypted too. > > Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, > /var/db/mysql, mail spool directories and some such), and maybe > /var/log as well. Encrypting the complete /var filesystem is > easier though... Some ports also use /usr/local/www to store > user-specific data, but what's the point of encrypting this? ;-) > > Regards, > -cpghost. So, back to encrypting my entire disk, I just need to put the boot partition on its own slice? There's all the bits available to start up the decryption stuff after that loads, so I can make my entire system, swap and all, encrypted, right? Eric