Date: Wed, 10 Oct 2007 19:53:49 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Steve Bertrand <iaccounts@ibctech.ca> Cc: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <20071010175349.GB9770@slackbox.xs4all.nl> In-Reply-To: <470CCDE2.9090603@ibctech.ca> References: <470CCDE2.9090603@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--A6N2fC+uXW/VQSAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: > Hi all, >=20 > I am voraciously attempting to get a FreeBSD system to boot from a GELI > encrypted hard disk, but am having problems. You don't need to encrypt the whole harddisk. You can encrypt separate slices. There is no need to encrypt stuff like / or /usr; what is there that needs to be kept secret? =20 > All of my searches lead to the same problem...GELI passphrase can not be > entered correctly upon boot. I have tried everything I have found on the > web (including disabling 'kbdmux' in the kernel) to no avail. With a normal AT keyboard I can enter the passphrase without problems, for a non-root partition. > Does anyone have a suggestion for a workaround? Put all the data that really needs to be encrypted on a separate slice, and encrypt that. Leave the rest unencrypted, especially /boot. As a rule of thumb; don't bother encrypting anything that you can just download from the internet. :-) Here's how it looks on my machine; Filesystem Size Used Avail Capacity Mounted on /dev/ar0s1a 496M 126M 330M 28% / devfs 1.0K 1.0K 0B 100% /dev /dev/ar0s1g.eli 120G 82G 28G 75% /home /dev/ar0s1e 496M 16K 456M 0% /tmp /dev/ar0s1f 19G 4.7G 13G 26% /usr /dev/ar0s1d 1.9G 152M 1.6G 8% /var As you can see only /home is encrypted because the rest doesn't hold data worth encrypting. If you encrypted / and /usr, you might actually make the system more vulnerable to a known-plaintext attack, because there are a lot of files with well-known contents there. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --A6N2fC+uXW/VQSAv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHDRGtEnfvsMMhpyURAv9KAJ9b3Yb3y56/lYZ8Ely/iJ5OeDjxigCeKPIx GLGryANKAu93RJyyDQqMaz4= =IJ5y -----END PGP SIGNATURE----- --A6N2fC+uXW/VQSAv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071010175349.GB9770>