Date: Wed, 08 Apr 2009 18:27:33 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: new_guy <byte8bits@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: geli on exisitng laptop Message-ID: <49DCDE85.2070204@infracaninophile.co.uk> In-Reply-To: <22951183.post@talk.nabble.com> References: <22951183.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7FCE5CF9CFBFC5373B191427
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
new_guy wrote:
> Hi guys,
>=20
> I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I alrea=
dy
> have setup. The laptop is up and working fine and I don't want to screw=
it
> up. It have the default partition layout. I've already used geli to enc=
rypt
> the swap partition.=20
>=20
> The default partitioning at install creates / /tmp /usr and /var. I tho=
ught
> I would start with /tmp as I should be able to fix that if I mess up.=20
>=20
> Some questions...
>=20
> 1. Will each partition have to be mounted with a password?
> 2. What's the most straight-forward way to go about this without screwi=
ng
> up?
>=20
> I already have the eli module loaded in the /boot/loader.conf so I won'=
t
> need to re-compile, etc.
>=20
To convert a partition to geli requires you to wipe out all the contents,=
scribble over the partition with random data to get rid of any remnants o=
f
the unencrypted content, set up the encryption keys and then rebuild the =
file
system and recover the data from backup.
Yes, you will need to supply some sort of secret value to retrieve the=20
encrypted disk contents. This is usually configured to mean typing in a
passphrase at the time the partition is mounted, although it is also poss=
ible
to store crypto keys on a removable medium such as USB key -- you don't =
necessarily have to use a pass phrase in that case, although it's a good =
idea
for the most effective security. Once the partition is mounted, you shou=
ld be
able to take the key out and put it in a safe place and still keep runnin=
g.
Depending on your requirements you can encrypt the whole drive -- which w=
hile
highly secure requires you to have crypto keys etc. on a removable medium=
and
is a little tricky to get working properly -- or you can create a small
unencrypted partition which should contain the kernel and necessary crypt=
o bits
(ie. the contents of /boot at a minimum) and then encrypt things partitio=
n by partition. You will have to type in a pass phrase to mount each dif=
ferent
encrypted partition -- to prevent this becoming too onerous, consider usi=
ng a
'one big partition' layout.
Also note that you should encrypt the swap partition, or someone coming i=
nto
possession of the laptop may be trivially able to recover secret data fro=
m it:
this is pretty automated and can be achieved by simply editing /etc/fstab=
to
change the mount device to eg. /dev/ad0s1b.eli and rebooting -- an epheme=
ral
key is used, so no typing passphrases is required in this instance. Sett=
ing up
a swap-backed tmpmfs will then then give you an encrypted /tmp too.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig7FCE5CF9CFBFC5373B191427
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAknc3osACgkQ8Mjk52CukIxoZQCfUoCmpTG0xykjCr6ZUcPoPhds
piQAoJE9YPkoV8K2DI2lnFYN8XZzNEii
=88hg
-----END PGP SIGNATURE-----
--------------enig7FCE5CF9CFBFC5373B191427--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49DCDE85.2070204>