Date: Thu, 7 Jun 2007 16:54:31 +0200 From: cpghost <cpghost@cordula.ws> To: Eric F Crist <mnslinky@gmail.com>, freebsd-questions@freebsd.org Subject: Re: GEOM/GELI Boot Disk Encryption Message-ID: <20070607145431.GA65146@epia-2.farid-hajji.net> In-Reply-To: <20070606170044.GA59161@slackbox.xs4all.nl> References: <905f1be0706060528p3217f614he29a7d4b33ac01dc@mail.gmail.com> <20070606170044.GA59161@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: > On Wed, Jun 06, 2007 at 07:28:48AM -0500, Eric F Crist wrote: > > I'm trying to take a system that already has a running freebsd system (or I > > can start over), and make the entire system encrypted. I've found > > instructions (freebsd manual) for creating secondary disks, but not the boot > > disk in particular. > > > > Can anyone point me in the right direction? > > Personally, I wouldn't bother encrypting anything but your own data, > i.e. /home. And for backup purposes it's better to make a seperate slice > for that anyway. You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in addition to /home. Most userland programs can leak sensitive date there that you'd rather have encrypted too. Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, /var/db/mysql, mail spool directories and some such), and maybe /var/log as well. Encrypting the complete /var filesystem is easier though... Some ports also use /usr/local/www to store user-specific data, but what's the point of encrypting this? ;-) > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070607145431.GA65146>