From owner-freebsd-security@FreeBSD.ORG Thu Feb 19 22:09:18 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0742F33F for ; Thu, 19 Feb 2015 22:09:18 +0000 (UTC) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BFFE1AC5 for ; Thu, 19 Feb 2015 22:09:17 +0000 (UTC) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t1JM9GqV048558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Feb 2015 14:09:16 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t1JM9GY9048557; Thu, 19 Feb 2015 14:09:16 -0800 (PST) (envelope-from jmg) Date: Thu, 19 Feb 2015 14:09:16 -0800 From: John-Mark Gurney To: Alfred Hegemeier Subject: Re: freebsd-security Digest, Vol 522, Issue 1 Message-ID: <20150219220916.GF46794@funkthat.com> References: <2128122602.2736874.1424350240576.JavaMail.yahoo@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <2128122602.2736874.1424350240576.JavaMail.yahoo@mail.yahoo.com> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Thu, 19 Feb 2015 14:09:16 -0800 (PST) Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2015 22:09:18 -0000 Alfred Hegemeier wrote this message on Thu, Feb 19, 2015 at 12:50 +0000: > just encrypt the whole hard drive with Geli. > That's the only protection I see: everything passing through the controllers is encrypted - unless keyloggers are installed, which you best protect against completely firewalling the "core" system, andhaving jails to access the outer world. > PCbsd already dumped complete auto hard drive encryption in their latest products - the automatic full HD encr was dumped when the Snowden stuff was revealed, I think with 10 release.So, I guess, they know why they removed it - makes it to secure. > > Which brings up an important question: how 'safe' is the encryption Geli, i.e. how can we know that developers are not on any agencies pay list ?Does that make sense  what I am writing in your opinion ? Having working on the AES-XTS code, and looked at the geli code to make it go faster, it's good code.. I don't see any major issues w/ it besides what is well know w/ using the various modes... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."