Date: Mon, 17 Jan 2011 22:05:53 -0700 From: Modulok <modulok@gmail.com> To: Roland Smith <rsmith@xs4all.nl> Cc: Alokat <mailing@alokat.org>, freebsd-questions@freebsd.org Subject: Re: harddrive encryption Message-ID: <AANLkTinruOxi_1FFDZzfhSojk1u%2B_XfGsJkDiSbMOuMW@mail.gmail.com> In-Reply-To: <20110117225308.GA40523@slackbox.erewhon.net> References: <4D34A6EF.30600@alokat.org> <20110117225308.GA40523@slackbox.erewhon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/17/11, Roland Smith <rsmith@xs4all.nl> wrote: > On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote: >> Hi, >> >> is it possible to encrypt my full harddrive (excluding /boot) during a >> freebsd installation. Or do I have to do this after the installation >> manually? > > Currently you have to do it manually afterwards. > > Personally, I would not bother encrypting the OS data; there is nothing > secret > there, and it does have a performance impact. Plus it would provide ample > material for a known-plaintext attack! > Modern ciphers such as AES are not susceptible to known plaintext attacks. The advantage to full disk encryption, including operating system data, is that nothing is ever accidently missed. The hard drive can safely be thrown out when it fails or is decomissioned, with no worry that some temporary file or database somewhere you forgot about, wasn't on the right partition. Regardless, these are only offline protections from physical theft for low to moderately motivated attackers. If you had a database of medical or financial records, disk encryption is probably a good thing. Otherwise http://xkcd.com/538/ The real danger, is loss or corruption of the decryption keys. Make backups! -Modulok-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinruOxi_1FFDZzfhSojk1u%2B_XfGsJkDiSbMOuMW>