From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  8 17:27:47 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0DF52106564A
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Apr 2009 17:27:47 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 799348FC0C
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Apr 2009 17:27:46 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n38HRdXY021724; Wed, 8 Apr 2009 18:27:41 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.2 smtp.infracaninophile.co.uk n38HRdXY021724
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1239211661;
	bh=+/LUTiOSVSun1mRQy04eLNKk6lZJNlLJFbjcZIh8A00=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<49DCDE85.2070204@infracaninophile.co.uk>|Date:=20W
	ed,=2008=20Apr=202009=2018:27:33=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.21=20(X11/20090321)|MIME-Vers
	ion:=201.0|To:=20new_guy=20<byte8bits@gmail.com>|CC:=20freebsd-que
	stions@freebsd.org|Subject:=20Re:=20geli=20on=20exisitng=20laptop|
	References:=20<22951183.post@talk.nabble.com>|In-Reply-To:=20<2295
	1183.post@talk.nabble.com>|X-Enigmail-Version:=200.95.6|Content-Ty
	pe:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protoco
	l=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"-----------
	-enig7FCE5CF9CFBFC5373B191427";
	b=NRc++ii2yWhFja1xqTrafM8s35etOKdiaevFV5uYS7qiX95431p+m57p2W/sBdEsr
	WYO1CE6kP3aqNj6UVFCNc0G0k9tRK5OJ3LM1Z+/yC1VezNhhKUa5xTszY18Lb8BJVN
	LxA5Jk++7xk7ihNN0VNnKNm7APbiq6b8V6p3n+qg=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <49DCDE85.2070204@infracaninophile.co.uk>
Date: Wed, 08 Apr 2009 18:27:33 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.21 (X11/20090321)
MIME-Version: 1.0
To: new_guy <byte8bits@gmail.com>
References: <22951183.post@talk.nabble.com>
In-Reply-To: <22951183.post@talk.nabble.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig7FCE5CF9CFBFC5373B191427"
X-Virus-Scanned: clamav-milter 0.95 at happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: geli on exisitng laptop
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2009 17:27:51 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7FCE5CF9CFBFC5373B191427
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

new_guy wrote:
> Hi guys,
>=20
> I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I alrea=
dy
> have setup. The laptop is up and working fine and I don't want to screw=
 it
> up. It have the default partition layout. I've already used geli to enc=
rypt
> the swap partition.=20
>=20
> The default partitioning at install creates / /tmp /usr and /var. I tho=
ught
> I would start with /tmp as I should be able to fix that if I mess up.=20
>=20
> Some questions...
>=20
> 1. Will each partition have to be mounted with a password?
> 2. What's the most straight-forward way to go about this without screwi=
ng
> up?
>=20
> I already have the eli module loaded in the /boot/loader.conf so I won'=
t
> need to re-compile, etc.
>=20

To convert a partition to geli requires you to wipe out all the contents,=

scribble over the partition with random data to get rid of any remnants o=
f
the unencrypted content, set up the encryption keys and then rebuild the =
file
system and recover the data from backup.

Yes, you will need to supply some sort of secret value to retrieve the=20
encrypted disk contents.  This is usually configured to mean typing in a
passphrase at the time the partition is mounted, although it is also poss=
ible
to store crypto keys on a removable medium such as  USB key -- you don't =

necessarily have to use a pass phrase in that case, although it's a good =
idea
for the most effective security.  Once the partition is mounted, you shou=
ld be
able to take the key out and put it in a safe place and still keep runnin=
g.

Depending on your requirements you can encrypt the whole drive -- which w=
hile
highly secure requires you to have crypto keys etc. on a removable medium=
 and
is a little tricky to get working properly -- or you can create a small
unencrypted partition which should contain the kernel and necessary crypt=
o bits
(ie. the contents of /boot at a minimum) and then encrypt things partitio=
n by partition.  You will have to type in a pass phrase to mount each dif=
ferent
encrypted partition -- to prevent this becoming too onerous, consider usi=
ng a
'one big partition' layout.

Also note that you should encrypt the swap partition, or someone coming i=
nto
possession of the laptop may be trivially able to recover secret data fro=
m it:
this is pretty automated and can be achieved by simply editing /etc/fstab=
 to
change the mount device to eg. /dev/ad0s1b.eli and rebooting -- an epheme=
ral
key is used, so no typing passphrases is required in this instance.  Sett=
ing up
a swap-backed tmpmfs will then then give you an encrypted /tmp too.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig7FCE5CF9CFBFC5373B191427
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAknc3osACgkQ8Mjk52CukIxoZQCfUoCmpTG0xykjCr6ZUcPoPhds
piQAoJE9YPkoV8K2DI2lnFYN8XZzNEii
=88hg
-----END PGP SIGNATURE-----

--------------enig7FCE5CF9CFBFC5373B191427--