Date: Sat, 29 Dec 2012 23:25:59 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: <20121229232559.6997b182@gumby.homeunix.com> In-Reply-To: <50DF6401.50001@martinlaabs.de> References: <CAHUOma=wCDQPUy%2B6yVHnMDzd8j75pJ1xn7KBqknqnod99Abgtw@mail.gmail.com> <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw@mail.gmail.com> <50DF6401.50001@martinlaabs.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 29 Dec 2012 22:43:29 +0100 Martin Laabs wrote: > Hi, > > >> Are there any plans or is there already support for full > >> disk encryption without the need for a boot partition? > > Well - what would be your benefit? OK - you might not create another > partition but I think this is not the problem. > From the point of security you would not get any improvement because > some > type of software has to be unencrypted. And this software could be > manipulated to do things like e.g. send the encryption key to > <attacker>. So from this point of view there is no difference whether > the kernel is unencrypted or any other type of software (that runs > before the kernel) is unencrypted. And the advantage of putting the boot partition on a memory stick is that it's much easier to keep such a device physically secure. Bootstrapping code on the main hard drive is easier to attack. IIRC someone demonstrated such an attack against one of the commercial encryption packages.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121229232559.6997b182>