From owner-freebsd-questions@FreeBSD.ORG Wed Jun 30 16:44:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E551106566B for ; Wed, 30 Jun 2010 16:44:54 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id AE0228FC1E for ; Wed, 30 Jun 2010 16:44:53 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o5UGikOn050936 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 30 Jun 2010 17:44:47 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4C2B747E.3060500@infracaninophile.co.uk> Date: Wed, 30 Jun 2010 17:44:46 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: Tim Gustafson References: <277645537.336611277914282937.JavaMail.root@mail-01.cse.ucsc.edu> In-Reply-To: <277645537.336611277914282937.JavaMail.root@mail-01.cse.ucsc.edu> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: fusefs-cryptofs vs fusefs-cryptofs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2010 16:44:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/06/2010 17:11:22, Tim Gustafson wrote: > I was wondering if anyone could offer any personal experience with > using either fusefs-cryptofs or fusefs-cryptofs. > > I'm going to be bringing a FreeBSD OpenLDAP server online soon and I > need to have the contents of the OpenLDAP database encrypted in the > event of a physical security breach, and so I need a reliable and > efficient disk encryption scheme to handle that. I was thinking of > encrypting /var/db/openldap using either fusefs-cryptofs or > fusefs-cryptofs, but I'm not sure which would be better to use for > this sort of application. On FreeBSD, this is spelled GELI (or GBDE, but I think geli is slightly better). Native filesystem level encryption -- rather more efficient than something like fuse, needs no extra software installed, very secure. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwrdH4ACgkQ8Mjk52CukIwA/QCfRO9PuHzVXQpoqNkrtob2WM07 fL8AmwRfLVE0fEVSGk1BZeMOnBxLW1t3 =jZk0 -----END PGP SIGNATURE-----