From owner-freebsd-questions@FreeBSD.ORG Wed Oct 10 18:34:02 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E00B916A46B for ; Wed, 10 Oct 2007 18:34:02 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 6CD2313C49D for ; Wed, 10 Oct 2007 18:34:02 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 95986 invoked by uid 1002); 10 Oct 2007 18:34:01 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 11.450559 secs); 10 Oct 2007 18:34:01 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 10 Oct 2007 18:33:49 -0000 Message-ID: <470D1B28.9050308@ibctech.ca> Date: Wed, 10 Oct 2007 14:34:16 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: rsmith@xs4all.nl References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> In-Reply-To: <20071010175349.GB9770@slackbox.xs4all.nl> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Oct 2007 18:34:03 -0000 > Put all the data that really needs to be encrypted on a separate slice, > and encrypt that. Leave the rest unencrypted, especially /boot. As a > rule of thumb; don't bother encrypting anything that you can just > download from the internet. :-) Fair enough, this makes sense. Thank you. > As you can see only /home is encrypted because the rest doesn't hold > data worth encrypting. Well, on mine it will. > If you encrypted / and /usr, you might actually make the system more > vulnerable to a known-plaintext attack, because there are a lot of files > with well-known contents there. I can get away with not having / encrypted, but I need /var encrypted for databases and logs etc, /tmp so any temporary files are secured and the swap file (swap very rarely gets used). So, I will test it as you suggested, however, would it be possible to still house my key on a removable USB stick, and after the slices are mounted into the file system successfully to then unmount and remove the USB drive and have the box remain in operation, or does the key need to be accessed throughout all disk reads/writes? Essentially, I'd like it so that if the box reboots while I am gone, or if I want to reboot it remotely there is theoretically no way for someone at the console to re-mount the encrypted slices? Thank you for all of this info! Steve