Date: Tue, 8 Sep 2015 18:27:39 +0000 From: "Li, Xiao" <xaol@amazon.com> To: "Li, Xiao" <xaol@amazon.com>, Igor Mozolevsky <igor@hybrid-lab.co.uk>, Analysiser <analysiser@gmail.com> Cc: Hackers freeBSD <freebsd-hackers@freebsd.org> Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <D2147620.1A4A%xaol@amazon.com> In-Reply-To: <D214715D.1A32%xaol@amazon.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com>
index | next in thread | previous in thread | raw e-mail
To clarify more, I’m trying to protect a headless device that has FreeBSD installed on it. There is no usb/video input, only NIC and power are exposed. And I’m trying to protect its bootable drive. On 9/8/15, 11:14 AM, "owner-freebsd-hackers@freebsd.org on behalf of Hackers freeBSD" <owner-freebsd-hackers@freebsd.org on behalf of freebsd-hackers@freebsd.org> wrote: >Hi Igor, > >Thanks for the suggestion! I¹m trying to achieve that the data could only >be accessed in a trusted booted system and cannot be decrypted when the >startup disk is a cold storage device. Something like FileVault on Mac OS >X (https://support.apple.com/en-us/HT204837). > >I admit the protocol is broken. Like in geli, there have to be an >unencrypted /boot partition to load kernel, and the rest of the OS is on >an encrypted large storage partition. I¹m thinking if I could make it >passwordless then the passphrase or the key have to be stored on the >unencrypted partition which would definitely break the security protocol, >therefore I¹m wondering if the passphrase or the key could be protected in >the non volatile memory of some firmwares like TPM and could be retrieved >only in known system statusŠ > >Thanks again! >Xiao > >On 9/8/15, 10:44 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor >Mozolevsky" <owner-freebsd-hackers@freebsd.org on behalf of >igor@hybrid-lab.co.uk> wrote: > >>On 8 September 2015 at 18:22, Analysiser <analysiser@gmail.com> wrote: >> >>I¹m trying to perform a whole disk encryption for my boot drive to >>protect >>> its data at rest. However I would like to have a mac OS X-ish full disk >>> encryption that does not explicitly ask for a passphrase and would boot >>>as >>> normal without manual input of passphrase. I tried to do it with >>>geli(8) >>> but it seems there is no way I can avoid the manual interaction. Really >>> curious if there is a way to achieve it? Thanks! >>> >> >> >>Do you mean like DVD "encryption'? If you are able to decrypt the >>contents >>of the disk without something that only the person in front for the >>computer either has or knows then *anyone* would be able to decrypt it. >> >>What is the actual problem you're trying to solve? Remember that >>encryption >>is just a tool and not a solution- you need a good security protocol that >>will protect your data, and by the sound of it the protocol you propose >>(self-decrypting drive) is just broken. >> >> >>-- >>Igor M. >>_______________________________________________ >>freebsd-hackers@freebsd.org mailing list >>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>To unsubscribe, send any mail to >>"freebsd-hackers-unsubscribe@freebsd.org" > >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D2147620.1A4A%xaol>