From owner-freebsd-questions@FreeBSD.ORG Wed Apr 8 17:40:30 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5725E1065672 for ; Wed, 8 Apr 2009 17:40:30 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr7.xs4all.nl (smtp-vbr7.xs4all.nl [194.109.24.27]) by mx1.freebsd.org (Postfix) with ESMTP id C632D8FC18 for ; Wed, 8 Apr 2009 17:40:29 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr7.xs4all.nl (8.13.8/8.13.8) with ESMTP id n38HeRA3099623; Wed, 8 Apr 2009 19:40:28 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id CFE8DBAA3; Wed, 8 Apr 2009 19:40:27 +0200 (CEST) Date: Wed, 8 Apr 2009 19:40:27 +0200 From: Roland Smith To: new_guy Message-ID: <20090408174027.GB97995@slackbox.xs4all.nl> References: <22951183.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY" Content-Disposition: inline In-Reply-To: <22951183.post@talk.nabble.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.19 (2009-01-05) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: geli on exisitng laptop X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Apr 2009 17:40:30 -0000 --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: >=20 > Hi guys, >=20 > I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already > have setup. The laptop is up and working fine and I don't want to screw it > up. It have the default partition layout. I've already used geli to encry= pt > the swap partition.=20 >=20 > The default partitioning at install creates / /tmp /usr and /var. I thoug= ht > I would start with /tmp as I should be able to fix that if I mess up.=20 >=20 > Some questions... >=20 > 1. Will each partition have to be mounted with a password? You can use a password, a file containing a key or both. See geli(8). The security of an encrypted partition relying solely on a key =66rom another partition is qeustionable at least. > 2. What's the most straight-forward way to go about this without screwing > up? You cannot encrypt the whole disk. You'll need an unencrypted /boot partition to read the kernel from, and unencrypted boot sector. Furthermore, you cannot encrypt a partition in place. You'll have to move the data somewhere else, unmount the partition, encrypt it, newfs it, attach and mount the encrypted partition and restore the data Personally, I think there is little value or security in encrypting / and /usr. There is really nothing secret there. One could even argue that the well-known content of / might /usr might facilitate known plaintext attacks! The only possible reason is to inconvenience a thief, but one might argue that putting anything but windows on it accomplishes that quite nicely. :-) And if your laptop is not a powerhouse, using encryption is going to eat CPU cycles. My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --1LKvkjL3sHcu1TtY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAknc4YsACgkQEnfvsMMhpyUAUACfbig/+1/DmjrkSdMzqjYV2tBT z6UAniZRnBlWVxMq/gzxi+q5YxJIFPhV =Q0tv -----END PGP SIGNATURE----- --1LKvkjL3sHcu1TtY--