From owner-freebsd-questions@FreeBSD.ORG Sat Dec 29 21:56:07 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D38A52B5 for ; Sat, 29 Dec 2012 21:56:07 +0000 (UTC) (envelope-from info@martinlaabs.de) Received: from relay04.alfahosting-server.de (relay04.alfahosting-server.de [109.237.142.240]) by mx1.freebsd.org (Postfix) with ESMTP id 7B1978FC0A for ; Sat, 29 Dec 2012 21:56:07 +0000 (UTC) Received: by relay04.alfahosting-server.de (Postfix, from userid 1001) id D68A732C1541; Sat, 29 Dec 2012 22:43:32 +0100 (CET) X-Spam-DCC: : X-Spam-Level: X-Spam-Status: No, score=0.2 required=7.0 tests=BAYES_50,SUBJECT_FUZZY_TION autolearn=disabled version=3.2.5 Received: from alfa3018.alfahosting-server.de (alfa3018.alfahosting-server.de [109.237.140.30]) by relay04.alfahosting-server.de (Postfix) with ESMTP id 784FD32C1CA2 for ; Sat, 29 Dec 2012 22:43:31 +0100 (CET) Received: from pc.martinlaabs.de (p54B338B5.dip.t-dialin.net [84.179.56.181]) by alfa3018.alfahosting-server.de (Postfix) with ESMTPSA id 33977515D5CB for ; Sat, 29 Dec 2012 22:43:31 +0100 (CET) Message-ID: <50DF6401.50001@martinlaabs.de> Date: Sat, 29 Dec 2012 22:43:29 +0100 From: Martin Laabs User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition References: In-Reply-To: X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.4 with ClamAV 0.97.3/16196/Sat Dec 29 20:38:50 2012 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2012 21:56:07 -0000 Hi, >> Are there any plans or is there already support for full >> disk encryption without the need for a boot partition? Well - what would be your benefit? OK - you might not create another partition but I think this is not the problem. >From the point of security you would not get any improvement because some type of software has to be unencrypted. And this software could be manipulated to do things like e.g. send the encryption key to . So from this point of view there is no difference whether the kernel is unencrypted or any other type of software (that runs before the kernel) is unencrypted. There is a solution named secureboot together with TPM but this introduces some other aspects that are not so very welcome in the open source community. So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. Best regards, Martin Laabs