From owner-freebsd-questions@FreeBSD.ORG Sat Dec 29 22:53:24 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5BD43F24 for ; Sat, 29 Dec 2012 22:53:24 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 0EB098FC0A for ; Sat, 29 Dec 2012 22:53:23 +0000 (UTC) Received: from r56.edvax.de (port-92-195-31-80.dynamic.qsc.de [92.195.31.80]) by mx02.qsc.de (Postfix) with ESMTP id EA570276AE; Sat, 29 Dec 2012 23:53:16 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id qBTMrJDX003182; Sat, 29 Dec 2012 23:53:19 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Sat, 29 Dec 2012 23:53:19 +0100 From: Polytropon To: Martin Laabs Subject: Re: Full disk encryption without root partition Message-Id: <20121229235319.2ee5cb85.freebsd@edvax.de> In-Reply-To: <50DF6401.50001@martinlaabs.de> References: <50DF6401.50001@martinlaabs.de> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2012 22:53:24 -0000 On Sat, 29 Dec 2012 22:43:29 +0100, Martin Laabs wrote: > So from the security point of view it might be a good choice to have a > unencrypted and (hardware) readonly boot partition. To prevent unintended modification by of the boot process's components, an option would be to have the system boot from a R/O media (SD card, USB stick or USB "card in stick") and then _remove_ this media when the system has been booted. Of course this requires physical presence of some kind of operator who is confirmed to handle this specific media. The rest of the system on disk and the data may be encrypted now, and if (physically) stolen, the disks are useless. I agree that such kind of security isn't possible everywhere, especially not if you cannot physically access your server. To prevent further "bad things" (like someone steals this "boot stick"), manually entering a passphrase in combination with the keys on the stick could be required. Of course a strong passphrase would have to be chosen, and not written on the USB stick. :-) The options has on a _running_ system with encrypted components is a completely different topic. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...