From owner-freebsd-hackers@FreeBSD.ORG  Fri Mar 27 08:40:27 2015
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 08959A13
 for <freebsd-hackers@freebsd.org>; Fri, 27 Mar 2015 08:40:27 +0000 (UTC)
Received: from puchar.net (puchar.net [188.252.31.250])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "puchar.net", Issuer "puchar.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 813ED9D1
 for <freebsd-hackers@freebsd.org>; Fri, 27 Mar 2015 08:40:26 +0000 (UTC)
Received: Received: from 127.0.0.1 (localhost [127.0.0.1])
 by puchar.net (8.14.9/8.14.9) with ESMTP id t2R8eB1Z017410
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 27 Mar 2015 09:40:12 +0100 (CET)
 (envelope-from wojtek@puchar.net)
Received: from laptop.wojtek.intra (localhost [127.0.0.1])
 by laptop.wojtek.intra (8.14.9/8.14.9) with ESMTP id t2R8e81u000765;
 Fri, 27 Mar 2015 09:40:09 +0100 (CET)
 (envelope-from wojtek@puchar.net)
Received: from localhost (wojtek@localhost)
 by laptop.wojtek.intra (8.14.9/8.14.9/Submit) with ESMTP id t2R8e32Y000762;
 Fri, 27 Mar 2015 09:40:03 +0100 (CET)
 (envelope-from wojtek@puchar.net)
X-Authentication-Warning: laptop.wojtek.intra: wojtek owned process doing -bs
Date: Fri, 27 Mar 2015 09:40:03 +0100 (CET)
From: Wojciech Puchar <wojtek@puchar.net>
X-X-Sender: wojtek@laptop.wojtek.intra
To: d@delphij.net
Subject: Re: GELI support on /boot folder
In-Reply-To: <55149D12.6070602@delphij.net>
Message-ID: <alpine.BSF.2.20.1503270939100.719@laptop.wojtek.intra>
References: <CAKN1MR54TCWZa_wSLAe63fxVF6248yr_aKkg-T0WtxHzaiLkyw@mail.gmail.com>
 <55149D12.6070602@delphij.net>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (puchar.net [10.0.1.1]); Fri, 27 Mar 2015 09:40:12 +0100 (CET)
Cc: "<freebsd-hackers@freebsd.org>" <freebsd-hackers@freebsd.org>,
 Pedro Arthur <bygrandao@gmail.com>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 08:40:27 -0000

>> in bootloader as a GSoC project, thus the /boot folder could be
>> encrypted.
>
> What's the benefit of encrypting /boot?  If it's encrypted, will the

exactly none.

> (Use passphrase only is a bad idea because that would mean we
> essentially encrypt different data with the same key, if two encrypted
> providers both use the same passphrase.  This is probably not a big

i use passphrase for root filesystem, put keyfiles generated from 
/dev/urandom on it and use for other filesystems.