From owner-freebsd-security@FreeBSD.ORG Fri Jun 15 19:11:55 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D090A1065673 for ; Fri, 15 Jun 2012 19:11:55 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from vms173011pub.verizon.net (vms173011pub.verizon.net [206.46.173.11]) by mx1.freebsd.org (Postfix) with ESMTP id AD9A38FC08 for ; Fri, 15 Jun 2012 19:11:55 +0000 (UTC) Received: from [192.168.1.5] ([unknown] [98.114.37.117]) by vms173011.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0M5O00E3R7UUCWAY@vms173011.mailsrvcs.net> for freebsd-security@freebsd.org; Fri, 15 Jun 2012 13:11:25 -0500 (CDT) Message-id: <4FDB7AC4.3060709@argolis.org> Date: Fri, 15 Jun 2012 14:11:16 -0400 From: Matt Piechota User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-version: 1.0 To: freebsd-security@freebsd.org References: In-reply-to: Content-type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: 7bit Subject: Re: Pre-boot authentication / geli-aware bootcode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 19:11:55 -0000 On 06/15/2012 01:40 PM, Simon L. B. Nielsen wrote: > On Jun 11, 2012 1:22 AM, "Robert Simmons" wrote: >> Would it be possible to make FreeBSD's bootcode aware of geli encrypted > volumes? >> I would like to enter the password and begin decryption so that the >> kernel and /boot are inside the encrypted volume. Ideally the only >> unencrypted area of the disk would be the gpt protected mbr and the >> bootcode. >> >> I know that Truecrypt is able to do something like this with its >> truecrypt boot loader, is something like this possible with FreeBSD >> without using Truecrypt? > I just booted off a USB flash key. Then your entire drive can be encrypted. > While true, the point (to me at least) is that with your kernel (and in Linux's case, initrd) in the clear it's possible for someone to bury a trojan of some sort in there waiting for you to boot up and start doing something nefarious (open backdoors, keylogging, etc.). I suppose you could check hashes of the kernel stuff and whatnot on booting to see if they haven't been modified, but that's not fool-proof either. That's obviously some pretty cloak and dagger stuff, but the company I work for requires full disk encryption. I've never actually asked if /boot counts, somewhat fearing the answer and resulting hassle from the largely paper-pushing security types. The USB key method isn't bad, but it realistically only adds obfuscation unless you keep your laptop and the key separate. Knowing myself, I'd forget one or the other fairly often. :) -- Matt Piechota