Date: Sat, 29 Dec 2012 22:43:29 +0100 From: Martin Laabs <info@martinlaabs.de> To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: <50DF6401.50001@martinlaabs.de> In-Reply-To: <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw@mail.gmail.com> References: <CAHUOma=wCDQPUy%2B6yVHnMDzd8j75pJ1xn7KBqknqnod99Abgtw@mail.gmail.com> <CAHUOmant1m446mVY85R7EpBd2Pw14gdL03fpmVPMKsrr_epfPw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, >> Are there any plans or is there already support for full >> disk encryption without the need for a boot partition? Well - what would be your benefit? OK - you might not create another partition but I think this is not the problem. >From the point of security you would not get any improvement because some type of software has to be unencrypted. And this software could be manipulated to do things like e.g. send the encryption key to <attacker>. So from this point of view there is no difference whether the kernel is unencrypted or any other type of software (that runs before the kernel) is unencrypted. There is a solution named secureboot together with TPM but this introduces some other aspects that are not so very welcome in the open source community. So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. Best regards, Martin Laabs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50DF6401.50001>