From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:14:46 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FC149CC610 for ; Tue, 8 Sep 2015 18:14:46 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B21ED12D5 for ; Tue, 8 Sep 2015 18:14:45 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441736085; x=1473272085; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=H3ePO+LI72W0MT1ZSBYZtS006yzdR35ftJI/onJZb6A=; b=S//MVfDPMFmpsdftYtjL8fx5pPtf532qahqQbpzQRzSCaFTgZRlSfJIx t2Bsw1OUn3yBhEij6pr/lC7F9wHmZSIu8za1hr2gd+4l1zU2XMcd6bMws 0V5WmrZMgdEHKvdDyK0zbWADG4Jt1uYE60AG+RkOMYlHvsLqdfQ1Vvz+l Q=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="340900718" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-62006.pdx2.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 18:14:43 +0000 Received: from ex10-hub-7001.ant.amazon.com (pdx1-ws-svc-lb16-vlan2.amazon.com [10.239.138.210]) by email-inbound-relay-62006.pdx2.amazon.com (8.14.7/8.14.7) with ESMTP id t88IEOKV010319 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 18:14:42 GMT Received: from EX13D10UWB001.ant.amazon.com (10.43.161.111) by ex10-hub-7001.ant.amazon.com (10.43.103.49) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 11:14:31 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB001.ant.amazon.com (10.43.161.111) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 18:15:11 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 18:14:28 +0000 From: "Li, Xiao" To: Igor Mozolevsky , Analysiser CC: Hackers freeBSD Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5y6A//+TKIA= Date: Tue, 8 Sep 2015 18:14:28 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.162.217] Content-Type: text/plain; charset="Windows-1252" Content-ID: <32855FAB13F0B3499E0CE7D8F1E1A495@ant.amazon.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:14:46 -0000 Hi Igor, Thanks for the suggestion! I=B9m trying to achieve that the data could only be accessed in a trusted booted system and cannot be decrypted when the startup disk is a cold storage device. Something like FileVault on Mac OS X (https://support.apple.com/en-us/HT204837). I admit the protocol is broken. Like in geli, there have to be an unencrypted /boot partition to load kernel, and the rest of the OS is on an encrypted large storage partition. I=B9m thinking if I could make it passwordless then the passphrase or the key have to be stored on the unencrypted partition which would definitely break the security protocol, therefore I=B9m wondering if the passphrase or the key could be protected i= n the non volatile memory of some firmwares like TPM and could be retrieved only in known system status=8A Thanks again! Xiao On 9/8/15, 10:44 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor Mozolevsky" wrote: >On 8 September 2015 at 18:22, Analysiser wrote: > >I=B9m trying to perform a whole disk encryption for my boot drive to prote= ct >> its data at rest. However I would like to have a mac OS X-ish full disk >> encryption that does not explicitly ask for a passphrase and would boot >>as >> normal without manual input of passphrase. I tried to do it with geli(8) >> but it seems there is no way I can avoid the manual interaction. Really >> curious if there is a way to achieve it? Thanks! >> > > >Do you mean like DVD "encryption'? If you are able to decrypt the contents >of the disk without something that only the person in front for the >computer either has or knows then *anyone* would be able to decrypt it. > >What is the actual problem you're trying to solve? Remember that >encryption >is just a tool and not a solution- you need a good security protocol that >will protect your data, and by the sound of it the protocol you propose >(self-decrypting drive) is just broken. > > >--=20 >Igor M. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"