From owner-freebsd-questions@FreeBSD.ORG Mon Oct 22 19:54:25 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9758A16A473 for ; Mon, 22 Oct 2007 19:54:25 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 113BF13C4BE for ; Mon, 22 Oct 2007 19:54:24 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id D774A456AB; Mon, 22 Oct 2007 19:47:30 +0200 (CEST) Received: from localhost (public-gprs43659.centertel.pl [91.94.42.225]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id E0CC945E90; Mon, 22 Oct 2007 19:47:10 +0200 (CEST) Date: Mon, 22 Oct 2007 19:46:30 +0200 From: Pawel Jakub Dawidek To: Steve Bertrand , freebsd-questions@freebsd.org Message-ID: <20071022174629.GA1118@garage.freebsd.pl> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: <20071010175349.GB9770@slackbox.xs4all.nl> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham version=3.0.4 Cc: Subject: Re: Booting a GELI encrypted hard disk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Oct 2007 19:54:25 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 10, 2007 at 07:53:49PM +0200, Roland Smith wrote: > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: > > Hi all, > >=20 > > I am voraciously attempting to get a FreeBSD system to boot from a GELI > > encrypted hard disk, but am having problems. >=20 > You don't need to encrypt the whole harddisk. You can encrypt separate > slices. There is no need to encrypt stuff like / or /usr; what is there > that needs to be kept secret? Maybe not encryption, but integrity protection is very important for laptops. GELI supports integrity protection for a while now. If you don't protect integrity of your entire laptop disk, it is trivial to trojan userland utilities and/or kernel and steal your password. If someone needs your data, he can dump encrypted partition, trojan your system and once you connect to the internet and attach your encrypted partition, the trojan will send the password to the attacker. Many people often leave their laptops in hotels rooms, for example. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHHOH1ForvXbEpPzQRAmCAAJ90e5syECUNVJPVuCwHbi5MhO2MAQCgpvNK S58vnY01w/ZTWzXv4s5NJxE= =1YkB -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--