From owner-freebsd-questions@FreeBSD.ORG Sat Dec 29 23:26:05 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F2DFB80 for ; Sat, 29 Dec 2012 23:26:05 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f174.google.com (mail-we0-f174.google.com [74.125.82.174]) by mx1.freebsd.org (Postfix) with ESMTP id 897B18FC08 for ; Sat, 29 Dec 2012 23:26:03 +0000 (UTC) Received: by mail-we0-f174.google.com with SMTP id x10so5405495wey.5 for ; Sat, 29 Dec 2012 15:26:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:subject:message-id:in-reply-to:references :x-mailer:mime-version:content-type:content-transfer-encoding; bh=RHyBHGh1gg0zPvQtY/RRTPaU8mglLV/Y3LYTxZUhixI=; b=K7BF3Q0MwWiN8WIe11j9Gk7oabRGgYurbOYZwSHG2Iu6ft04WbO4L9t/ccY2vEaWKY ZSejAwFWPMaKgPME2ETSJ+N3A0QJHoVAEl0RtmoshkgjzI85vkcFHeyd9oykslwynC4f hwT3KOlA/n3fPAHM+oMGxLi7OHS7oJHEfWe5oHa8Gr8eSTgx2g7AksbsXiJ1tRwuSHcv qxOb+9i78T+hempjDtX64VNeafAcRtqNiU7Wv8a4ngVnpBede2CzSukomqz+9Yt8FXxR mxWLZew/t0G8LlY6jPr/8hbHxrHWq3zs1VIjFyiqROS8KvP9P+o4ERPZBUxjCID3uAf0 /+Bg== X-Received: by 10.194.9.197 with SMTP id c5mr59316584wjb.20.1356823562381; Sat, 29 Dec 2012 15:26:02 -0800 (PST) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id fv2sm68826305wib.4.2012.12.29.15.26.00 (version=SSLv3 cipher=OTHER); Sat, 29 Dec 2012 15:26:01 -0800 (PST) Date: Sat, 29 Dec 2012 23:25:59 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: <20121229232559.6997b182@gumby.homeunix.com> In-Reply-To: <50DF6401.50001@martinlaabs.de> References: <50DF6401.50001@martinlaabs.de> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2012 23:26:05 -0000 On Sat, 29 Dec 2012 22:43:29 +0100 Martin Laabs wrote: > Hi, > > >> Are there any plans or is there already support for full > >> disk encryption without the need for a boot partition? > > Well - what would be your benefit? OK - you might not create another > partition but I think this is not the problem. > From the point of security you would not get any improvement because > some > type of software has to be unencrypted. And this software could be > manipulated to do things like e.g. send the encryption key to > . So from this point of view there is no difference whether > the kernel is unencrypted or any other type of software (that runs > before the kernel) is unencrypted. And the advantage of putting the boot partition on a memory stick is that it's much easier to keep such a device physically secure. Bootstrapping code on the main hard drive is easier to attack. IIRC someone demonstrated such an attack against one of the commercial encryption packages.