Date: Tue, 8 Sep 2015 18:14:28 +0000 From: "Li, Xiao" <xaol@amazon.com> To: Igor Mozolevsky <igor@hybrid-lab.co.uk>, Analysiser <analysiser@gmail.com> Cc: Hackers freeBSD <freebsd-hackers@freebsd.org> Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <D214715D.1A32%xaol@amazon.com> In-Reply-To: <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Hi Igor, Thanks for the suggestion! Iım trying to achieve that the data could only be accessed in a trusted booted system and cannot be decrypted when the startup disk is a cold storage device. Something like FileVault on Mac OS X (https://support.apple.com/en-us/HT204837). I admit the protocol is broken. Like in geli, there have to be an unencrypted /boot partition to load kernel, and the rest of the OS is on an encrypted large storage partition. Iım thinking if I could make it passwordless then the passphrase or the key have to be stored on the unencrypted partition which would definitely break the security protocol, therefore Iım wondering if the passphrase or the key could be protected in the non volatile memory of some firmwares like TPM and could be retrieved only in known system status Thanks again! Xiao On 9/8/15, 10:44 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor Mozolevsky" <owner-freebsd-hackers@freebsd.org on behalf of igor@hybrid-lab.co.uk> wrote: >On 8 September 2015 at 18:22, Analysiser <analysiser@gmail.com> wrote: > >Iım trying to perform a whole disk encryption for my boot drive to protect >> its data at rest. However I would like to have a mac OS X-ish full disk >> encryption that does not explicitly ask for a passphrase and would boot >>as >> normal without manual input of passphrase. I tried to do it with geli(8) >> but it seems there is no way I can avoid the manual interaction. Really >> curious if there is a way to achieve it? Thanks! >> > > >Do you mean like DVD "encryption'? If you are able to decrypt the contents >of the disk without something that only the person in front for the >computer either has or knows then *anyone* would be able to decrypt it. > >What is the actual problem you're trying to solve? Remember that >encryption >is just a tool and not a solution- you need a good security protocol that >will protect your data, and by the sound of it the protocol you propose >(self-decrypting drive) is just broken. > > >-- >Igor M. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D214715D.1A32%xaol>