From owner-freebsd-hackers@FreeBSD.ORG Tue May 13 20:14:36 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E47A37B401 for ; Tue, 13 May 2003 20:14:36 -0700 (PDT) Received: from smtp-relay.omnis.com (smtp-relay.omnis.com [216.239.128.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A79943F3F for ; Tue, 13 May 2003 20:14:35 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from salty.rapid.stbernard.com (corp-2.ipinc.com [199.245.188.2]) by smtp-relay.omnis.com (Postfix) with ESMTP id 8C9711C3C0; Tue, 13 May 2003 20:14:35 -0700 (PDT) From: Wes Peters Organization: Softweyr.com To: "Stalker" , Date: Tue, 13 May 2003 20:14:34 -0700 User-Agent: KMail/1.5 References: <000901c3199a$25d4d8f0$4206000a@stalker> In-Reply-To: <000901c3199a$25d4d8f0$4206000a@stalker> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305132014.34788.wes@softweyr.com> Subject: Re: Crypted Disk Question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2003 03:14:36 -0000 On Tuesday 13 May 2003 14:53, Stalker wrote: > Hi > > I would like to know if anyone has thought of or come up with a > solution to this problem. > > With encrypted disks, when you mount them it requires you to enter a > password, and im wondering if anyone has come up with a way that > maintains the security, but also automates the process of entering > the password. I know of scripts and that, but that still leaves the > password in plain text. I was wondering if anyone has written a > program to accomplish this, or if someone has thought of a better way > to get around this problem, and still keep a high level of security > while doing this. > > If someone has a idea of how to do this, i dont mind writing the > program myself to do it, im just trying to find a decent way to do > this. I depends on the level of security you want. You could put the crypto keys on a little USB dongle and leave that plugged into the computers; in case of "emergency" you can yank the dongle and the powercord and run. That's still not very secure, depending on how close the machines are to your pillow. Any mechanism that can enter the keys automagically can be used against you if it is captured "intact enough." A system that can come up into a running state and page you for a new key, with some sort of remote re-keying capability, would be a better design. I think RIM Blackberry can do this sort of back-and-forth with a bit of development. The system in question would bring itself up far enough to request and receive keys, then mount the encrypted filesystems and continue once the keys are received. That would be a fun system to design and make actually work. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters wes@softweyr.com