From owner-freebsd-geom@FreeBSD.ORG Fri Aug 24 18:37:51 2012 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91051106564A for ; Fri, 24 Aug 2012 18:37:51 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 720558FC08 for ; Fri, 24 Aug 2012 18:37:51 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 443031D1DC; Fri, 24 Aug 2012 11:37:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1345833471; bh=E2stDQ9vs6By0vHLojsiq6nnIqdna8gPAb5ua8UteWU=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=ac/OLZrPnwbgKGLJtjeLW1LZ8g8rW9OUHBr7/nsocnMSUhU7/Sl8BiayQ/1PjxExM Xla73HAMGqGUT0VWoUtJeOqBp/PKBDZcX73VmrxwpqdBnip6ylSCES2gKbUyz+R6Zt Vrns8bYwcs/fXGma8wlFnr+Dg/sMAiSbvyOa0cAk= Message-ID: <5037C9FE.2030800@delphij.net> Date: Fri, 24 Aug 2012 11:37:50 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.6esrpre) Gecko/20120727 Thunderbird/10.0.6 MIME-Version: 1.0 To: brouci tykadylko References: <3065.175.369-8674-1053163704-1345806974@seznam.cz> In-Reply-To: <3065.175.369-8674-1053163704-1345806974@seznam.cz> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-geom@freebsd.org Subject: Re: geli remote password entering X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2012 18:37:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/24/12 04:16, brouci tykadylko wrote: > Thinking about encrypting everything except /boot by geli(+zfs). > Since server is remote, there is a problem with entering the key > after restart. There is a possibility of KVM at datacenter, but I > don't want to bother with it upon every reboot, and not speaking > about possibility of remote interception. My idea so far is to use > RAMdisk image with bare ssh like DropBear (like here: > http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still didn't > try. Dream solution is a bootloader with a ssh interface, but I > didn't hear about any for fBSD. Did any of you try something > similar? Or do you have any other idea? I have posted something with similar idea here: http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html But this is different -- you can't have only /boot unencrypted because it requires / and /usr be available at very early boot time. Personally I'm not quite concerned with / unencrypted -- you could reveal /etc/master.passwd in the worst case but sensitive data can be stored in encrypted partitions. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQN8n+AAoJEG80Jeu8UPuztuUIAMMw3uQokMU59hEopWgqMnk/ BOJUT5XstwmGJ+FRcvgG3gcVGMzyC9qhCqeSIGGGP88k1riZjKmmmgLJ2k/YjtNt SlEojdj8py7r/ZzvpHK8HykA33V+F7LSxubtH+xZaWLcXyRXSOCsvVY+Xu/7jDPu 0oRYR2uAPnEqYoqPDVm7DZovL8T2HAf3cEDy1ZbaWl5tlkFejhgoCO9s2FY87ktU /K2TlZM7ksTndzCYJLW5BIan2On25IUW9QQyL61kRGsSbn10JzWI96wDO6xpwkra GDgnvXVQ2GqSviy1iSF3JJfMG43PnRQ20Eg2XikXmtCzTSx+MSSeVt282RuFyi4= =ENh1 -----END PGP SIGNATURE-----