From owner-freebsd-current Sun Dec 15 18:59: 9 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFF4937B401 for ; Sun, 15 Dec 2002 18:59:07 -0800 (PST) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id E432D43EA9 for ; Sun, 15 Dec 2002 18:59:06 -0800 (PST) (envelope-from shamrock@cypherpunks.to) Received: from VAIO650 (unknown [208.201.229.160]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pakastelohi.cypherpunks.to (Postfix) with ESMTP id 85D7436528 for ; Mon, 16 Dec 2002 03:58:53 +0100 (CET) From: "Lucky Green" To: Subject: BDE drive encryption practices and techniques? Date: Sun, 15 Dec 2002 18:58:37 -0800 Message-ID: <000d01c2a4af$09e638b0$6401a8c0@VAIO650> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I plan to deploy GBDE in an environment in which the absolute maximum of the system that can reasonably be kept encrypted on disk will be kept in an encrypted format. The system has the following requirements: 1) It must remain possible to administer the host over ssh. This includes rebooting the host. 2) /home must be encrypted. 3) The machine is not required to permit non-root login or accept mail until root has mounted the encrypted partitions over ssh. Furthermore, performance requirements are not an issue. Assume plenty of CPU and RAM. 4) /var/mail must be encrypted. 5) /var/log/maillog must be encrypted. 6) /var/log/messages should be encrypted, however, syslog must be able to write messages to the log from boot. (These two combined requirements may at first seem mutually exclusive, though this may not actually be the case, perhaps the log could be buffered to a memory device and written to /var/log/messages once /var becomes available). 7) Once the encrypted partitions are mounted, the rest of the services should start up automatically as they would have if all partitions had been mounted initially. 8) It sure would be nice if everything in /usr not required to boot the system were encrypted. Is anybody here working on a similar configuration? Do you have any suggestions how to best accomplish some or all of these requirements? Sample modifications to rc.*? Thanks in advance, --Lucky To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message