From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 14 17:40:21 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C91CC1065673
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Jan 2009 17:40:21 +0000 (UTC)
	(envelope-from steve@ibctech.ca)
Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6])
	by mx1.freebsd.org (Postfix) with SMTP id 62E4F8FC22
	for <freebsd-questions@freebsd.org>;
	Wed, 14 Jan 2009 17:40:21 +0000 (UTC)
	(envelope-from steve@ibctech.ca)
Received: (qmail 32665 invoked by uid 89); 14 Jan 2009 17:53:35 -0000
Received: from unknown (HELO ?IPv6:2607:f118::5?)
	(steve@ibctech.ca@2607:f118::5)
	by 2607:f118::b6 with ESMTPA; 14 Jan 2009 17:53:35 -0000
Message-ID: <496E237C.2010606@ibctech.ca>
Date: Wed, 14 Jan 2009 12:40:12 -0500
From: Steve Bertrand <steve@ibctech.ca>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Johann Hasselbach <jhass88@gmail.com>
References: <ab52c4f40901140923k58245c1au2b4a2c89adde90bc@mail.gmail.com>
In-Reply-To: <ab52c4f40901140923k58245c1au2b4a2c89adde90bc@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: freebsd encrypted hard disk?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2009 17:40:22 -0000

Johann Hasselbach wrote:
> I read the "encrypting disk partitions" section of the Handbook. What
> is the preferred method nowdays, geli or gbde?
> 
> Is there another method that would be better?

I don't know what is best, but for quite some time I've used GELI to
encrypt my entire hard disk, including the / partition.

I then copy /boot to a USB thumb drive with the encryption key so I
don't need any portion of the hard disk unencrypted. This setup also
allows me to pull the USB key from the machine after it has been booted,
taking the encryption key with me.

I've never had a problem.

pearl# df -h
Filesystem       Size    Used   Avail Capacity  Mounted on
/dev/ar0.elia    504M    377M     87M    81%    /
devfs            1.0K    1.0K      0B   100%    /dev
/dev/ar0.elie     47G    9.6G     34G    22%    /usr
/dev/ar0.elif     47G    7.2G     36G    17%    /var
/dev/ar0.elig     47G     25G     19G    57%    /home

Steve