From owner-freebsd-hackers@freebsd.org Wed Sep 9 02:53:25 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A58529CC7E6 for ; Wed, 9 Sep 2015 02:53:25 +0000 (UTC) (envelope-from frase@frase.id.au) Received: from captainmorgan.hollandpark.frase.id.au (110-174-235-130.static.tpgi.com.au [110.174.235.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1FF31D3A for ; Wed, 9 Sep 2015 02:53:24 +0000 (UTC) (envelope-from frase@frase.id.au) Received: from bacardi.hollandpark.frase.id.au (bacardi.hollandpark.frase.id.au [192.168.0.100]) by captainmorgan.hollandpark.frase.id.au (8.14.9/8.14.9) with ESMTP id t892PZdl008067; Wed, 9 Sep 2015 12:25:35 +1000 (EST) (envelope-from frase@frase.id.au) Received: from bacardi.hollandpark.frase.id.au (localhost [127.0.0.1]) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2) with ESMTPS id t892PZdW098264 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Sep 2015 12:25:35 +1000 (EST) (envelope-from frase@frase.id.au) Received: (from fraser@localhost) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2/Submit) id t892PWaQ098263; Wed, 9 Sep 2015 12:25:32 +1000 (EST) (envelope-from frase@frase.id.au) X-Authentication-Warning: bacardi.hollandpark.frase.id.au: fraser set sender to frase@frase.id.au using -f Date: Wed, 9 Sep 2015 12:25:32 +1000 From: Fraser Tweedale To: Analysiser Cc: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <20150909022531.GW1656@bacardi.hollandpark.frase.id.au> Mail-Followup-To: Analysiser , freebsd-hackers@freebsd.org References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jAJnlX6Iz2QeVWJH" Content-Disposition: inline In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 02:53:25 -0000 --jAJnlX6Iz2QeVWJH Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 08, 2015 at 10:22:21AM -0700, Analysiser wrote: > Hi, >=20 > I=E2=80=99m trying to perform a whole disk encryption for my boot drive t= o protect its data at rest. However I would like to have a mac OS X-ish ful= l disk encryption that does not explicitly ask for a passphrase and would b= oot as normal without manual input of passphrase. I tried to do it with gel= i(8) but it seems there is no way I can avoid the manual interaction. Reall= y curious if there is a way to achieve it? Thanks! >=20 >=20 > Xiao > If the machine is on a trusted network, and if networking capabilities are available in the boot environment, you can coordinate with another host to decrypt the secret key and boot without operator intervention. In the scheme proposed in [1] the secret is encrypted locally and sent to a trusted server for decryption (TLS protects the secret on the wire). A variation of this protocol that does not expose the secret to the decryption service or on the wire is being investigated. You can watch a demo[2] of the system in action. The tech is all very Red Hat-centric at the moment but the general approach or the specific protocol could be implemented for FreeBSD. [1] http://www.freeipa.org/page/Network_Bound_Disk_Encryption [2] https://www.youtube.com/watch?v=3DlyDmhhVgXEc Cheers, Fraser --jAJnlX6Iz2QeVWJH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV75iYAAoJEEtTkFJBEeHivGoP/1A0Ts+QzcscmIeBfm/Bo3di hBpemsFyKLd+9aT6Uq5t9H3Uf+6HrUFPOZQbplPUnEW6F2Q5+HBEIkW/T+NQrOsp xJqVCm5/jivZVq5CfAeYhzaKIqD/xwQX/ima++EbQyWktIR64+TJIX3QYcVw80dI UHpKZnzCgFSlqE95Q5budlfrL0nyFcIHUoAYAjol7Y1OffGg30U/AppV+Kw8Qkks mgiWPnz25HB6LqK2+DIy3/tEDtc7GIhWPIyGI30rNeu2ZQUzO1nK2W6/ReI+Jyy0 DQeIeT4QJgGxv1/5CxiT66u0Gx/KdkDMiRbNe2WKnwtGOcZ6HGdBPsS/BeOhAtCf RY1yJMgtH/U2t256KdqQlFjR19+Wh6+Y8eay53ccZMlCgKbdRq1tdj2Uc7lWqNxb N69yV4mnKuNbIjF+03uUocsAjoVFTkmj2QOyBkSLa0aBfl1G/6BGGpnYXEbKyRq0 E5hspPHK9IpG4DvX2vaDn/BxwCDgEjm59vvySbf/TpC6vXOAQMAXlbpsdFfEefr2 OzCGEuN8doxEp5Qac7SUDe8SpS4vOtbTYxQPrebmY+CZCbKaNVT7YxoHqOMeLakN bsmYfeQ2oFkIZWcxzfvuu6mTjQxLAC0eSu8eEwS6/tE6OtL6ns5punxnPRgsXIlu yaSHM1VY5pIYtWcKGs/R =MKDc -----END PGP SIGNATURE----- --jAJnlX6Iz2QeVWJH--