Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 30 Dec 2012 10:34:51 +0100
From:      David Demelier <demelier.david@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Full disk encryption without root partition
Message-ID:  <50E00ABB.9080200@gmail.com>
In-Reply-To: <20121229235319.2ee5cb85.freebsd@edvax.de>
References:  <CAHUOma=wCDQPUy%2B6yVHnMDzd8j75pJ1xn7KBqknqnod99Abgtw@mail.gmail.com> <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw@mail.gmail.com> <50DF6401.50001@martinlaabs.de> <20121229235319.2ee5cb85.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On 29/12/2012 23:53, Polytropon wrote:
> On Sat, 29 Dec 2012 22:43:29 +0100, Martin Laabs wrote:
>> So from the security point of view it might be a good choice to have a
>> unencrypted and (hardware) readonly boot partition.
>
> To prevent unintended modification by <attacker> of the
> boot process's components, an option would be to have the
> system boot from a R/O media (SD card, USB stick or USB
> "card in stick") and then _remove_ this media when the
> system has been booted. Of course this requires physical
> presence of some kind of operator who is confirmed to
> handle this specific media. The rest of the system on
> disk and the data may be encrypted now, and if (physically)
> stolen, the disks are useless. I agree that such kind of
> security isn't possible everywhere, especially not if
> you cannot physically access your server.
>
> To prevent further "bad things" (like someone steals
> this "boot stick"), manually entering a passphrase in
> combination with the keys on the stick could be required.
> Of course a strong passphrase would have to be chosen,
> and not written on the USB stick. :-)
>
> The options <attacker> has on a _running_ system with
> encrypted components is a completely different topic.
>
>
>

I think a good idea would be to store the key directly in the 
bootloader, but that needs a large enough partition scheme that can 
store the bootloader (boot0 or boot1) plus the encryption key. However 
this needs to add support for that in both boot files and will be bigger.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50E00ABB.9080200>