Date: Wed, 10 Oct 2007 23:17:01 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Fabian Keil <freebsd-listen@fabiankeil.de> Cc: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <20071010211701.GB15103@slackbox.xs4all.nl> In-Reply-To: <20071010201838.23fa7c2f@fabiankeil.de> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <20071010201838.23fa7c2f@fabiankeil.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--gj572EiMnwbLXET9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 10, 2007 at 08:18:38PM +0200, Fabian Keil wrote: > Roland Smith <rsmith@xs4all.nl> wrote: >=20 > > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: >=20 > > > I am voraciously attempting to get a FreeBSD system to boot from a GE= LI > > > encrypted hard disk, but am having problems. > >=20 > > You don't need to encrypt the whole harddisk. You can encrypt separate > > slices. There is no need to encrypt stuff like / or /usr; what is there > > that needs to be kept secret? >=20 > Encryption isn't only useful for private data, > it also reduces the risk of third parties replacing > your binaries with Trojans while your away. If that someone can replace binaries on a running system, you're box has been h4x0red and you're screwed anyway. Doubly so if your encrypted filesystem was mounted at the time. :-) Disk encryption is mostly a defense against data-loss in case of the machine or disk being stolen.=20 It's easy enough to make a list of SHA256 checksums of all binaries and store that on the encrypted partition, so you can check the binaries any time you want. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --gj572EiMnwbLXET9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHDUFNEnfvsMMhpyURAkmZAJ0bPe9VYsxa9/9CT4ei/9UP3EiqiwCaA3Eb W88GtF4Nc6VcEkybRQUb9SQ= =vYGT -----END PGP SIGNATURE----- --gj572EiMnwbLXET9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071010211701.GB15103>