Date: Tue, 08 Sep 2015 13:02:55 -0700 From: perryh@pluto.rain.com (Perry Hutchison) To: xaol@amazon.com Cc: freebsd-hackers@freebsd.org, igor@hybrid-lab.co.uk, analysiser@gmail.com Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <55ef3eef.qeb%2BJh3sjv8B9NgH%perryh@pluto.rain.com> In-Reply-To: <D2147620.1A4A%xaol@amazon.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com> <D2147620.1A4A%xaol@amazon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Xiao Li wrote: > I'm trying to protect a headless device that has FreeBSD installed > on it. There is no usb/video input, only NIC and power are exposed. > And I'm trying to protect its bootable drive. I think this is fundamentally impossible* to do, with any real security. It is like stashing a key to your house somewhere in the barn: you think no one else knows where that key is, but anyone who figures out what you've done can get in. In Apple's scheme, at least the house key is in a lockbox -- the login password is the key to the lockbox -- but even there the hard drive encryption is ultimately only as strong as the login password. * Granted, statements like this carry some risk of ending up in the same category as "There is no reason for anyone to have a home computer" (Gordon Bell), or "No one should ever need more than 640K of main memory" (Bill Gates).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55ef3eef.qeb%2BJh3sjv8B9NgH%perryh>