Date: Wed, 9 Sep 2015 12:25:32 +1000 From: Fraser Tweedale <frase@frase.id.au> To: Analysiser <analysiser@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <20150909022531.GW1656@bacardi.hollandpark.frase.id.au> In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, Sep 08, 2015 at 10:22:21AM -0700, Analysiser wrote: > Hi, > > I’m trying to perform a whole disk encryption for my boot drive to protect its data at rest. However I would like to have a mac OS X-ish full disk encryption that does not explicitly ask for a passphrase and would boot as normal without manual input of passphrase. I tried to do it with geli(8) but it seems there is no way I can avoid the manual interaction. Really curious if there is a way to achieve it? Thanks! > > > Xiao > If the machine is on a trusted network, and if networking capabilities are available in the boot environment, you can coordinate with another host to decrypt the secret key and boot without operator intervention. In the scheme proposed in [1] the secret is encrypted locally and sent to a trusted server for decryption (TLS protects the secret on the wire). A variation of this protocol that does not expose the secret to the decryption service or on the wire is being investigated. You can watch a demo[2] of the system in action. The tech is all very Red Hat-centric at the moment but the general approach or the specific protocol could be implemented for FreeBSD. [1] http://www.freeipa.org/page/Network_Bound_Disk_Encryption [2] https://www.youtube.com/watch?v=lyDmhhVgXEc Cheers, Fraser [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV75iYAAoJEEtTkFJBEeHivGoP/1A0Ts+QzcscmIeBfm/Bo3di hBpemsFyKLd+9aT6Uq5t9H3Uf+6HrUFPOZQbplPUnEW6F2Q5+HBEIkW/T+NQrOsp xJqVCm5/jivZVq5CfAeYhzaKIqD/xwQX/ima++EbQyWktIR64+TJIX3QYcVw80dI UHpKZnzCgFSlqE95Q5budlfrL0nyFcIHUoAYAjol7Y1OffGg30U/AppV+Kw8Qkks mgiWPnz25HB6LqK2+DIy3/tEDtc7GIhWPIyGI30rNeu2ZQUzO1nK2W6/ReI+Jyy0 DQeIeT4QJgGxv1/5CxiT66u0Gx/KdkDMiRbNe2WKnwtGOcZ6HGdBPsS/BeOhAtCf RY1yJMgtH/U2t256KdqQlFjR19+Wh6+Y8eay53ccZMlCgKbdRq1tdj2Uc7lWqNxb N69yV4mnKuNbIjF+03uUocsAjoVFTkmj2QOyBkSLa0aBfl1G/6BGGpnYXEbKyRq0 E5hspPHK9IpG4DvX2vaDn/BxwCDgEjm59vvySbf/TpC6vXOAQMAXlbpsdFfEefr2 OzCGEuN8doxEp5Qac7SUDe8SpS4vOtbTYxQPrebmY+CZCbKaNVT7YxoHqOMeLakN bsmYfeQ2oFkIZWcxzfvuu6mTjQxLAC0eSu8eEwS6/tE6OtL6ns5punxnPRgsXIlu yaSHM1VY5pIYtWcKGs/R =MKDc -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150909022531.GW1656>