Date: Wed, 10 Oct 2007 14:34:16 -0400 From: Steve Bertrand <iaccounts@ibctech.ca> To: rsmith@xs4all.nl Cc: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <470D1B28.9050308@ibctech.ca> In-Reply-To: <20071010175349.GB9770@slackbox.xs4all.nl> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> Put all the data that really needs to be encrypted on a separate slice, > and encrypt that. Leave the rest unencrypted, especially /boot. As a > rule of thumb; don't bother encrypting anything that you can just > download from the internet. :-) Fair enough, this makes sense. Thank you. > As you can see only /home is encrypted because the rest doesn't hold > data worth encrypting. Well, on mine it will. > If you encrypted / and /usr, you might actually make the system more > vulnerable to a known-plaintext attack, because there are a lot of files > with well-known contents there. I can get away with not having / encrypted, but I need /var encrypted for databases and logs etc, /tmp so any temporary files are secured and the swap file (swap very rarely gets used). So, I will test it as you suggested, however, would it be possible to still house my key on a removable USB stick, and after the slices are mounted into the file system successfully to then unmount and remove the USB drive and have the box remain in operation, or does the key need to be accessed throughout all disk reads/writes? Essentially, I'd like it so that if the box reboots while I am gone, or if I want to reboot it remotely there is theoretically no way for someone at the console to re-mount the encrypted slices? Thank you for all of this info! Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470D1B28.9050308>