Date: Wed, 8 Apr 2009 19:40:27 +0200 From: Roland Smith <rsmith@xs4all.nl> To: new_guy <byte8bits@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: geli on exisitng laptop Message-ID: <20090408174027.GB97995@slackbox.xs4all.nl> In-Reply-To: <22951183.post@talk.nabble.com> References: <22951183.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: >=20 > Hi guys, >=20 > I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already > have setup. The laptop is up and working fine and I don't want to screw it > up. It have the default partition layout. I've already used geli to encry= pt > the swap partition.=20 >=20 > The default partitioning at install creates / /tmp /usr and /var. I thoug= ht > I would start with /tmp as I should be able to fix that if I mess up.=20 >=20 > Some questions... >=20 > 1. Will each partition have to be mounted with a password? You can use a password, a file containing a key or both. See geli(8). The security of an encrypted partition relying solely on a key =66rom another partition is qeustionable at least. > 2. What's the most straight-forward way to go about this without screwing > up? You cannot encrypt the whole disk. You'll need an unencrypted /boot partition to read the kernel from, and unencrypted boot sector. Furthermore, you cannot encrypt a partition in place. You'll have to move the data somewhere else, unmount the partition, encrypt it, newfs it, attach and mount the encrypted partition and restore the data Personally, I think there is little value or security in encrypting / and /usr. There is really nothing secret there. One could even argue that the well-known content of / might /usr might facilitate known plaintext attacks! The only possible reason is to inconvenience a thief, but one might argue that putting anything but windows on it accomplishes that quite nicely. :-) And if your laptop is not a powerhouse, using encryption is going to eat CPU cycles. My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --1LKvkjL3sHcu1TtY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAknc4YsACgkQEnfvsMMhpyUAUACfbig/+1/DmjrkSdMzqjYV2tBT z6UAniZRnBlWVxMq/gzxi+q5YxJIFPhV =Q0tv -----END PGP SIGNATURE----- --1LKvkjL3sHcu1TtY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090408174027.GB97995>