Date: Tue, 8 Sep 2015 15:22:59 -0700 From: Analysiser <analysiser@gmail.com> To: Igor Mozolevsky <igor@hybrid-lab.co.uk> Cc: Xin LI <d@delphij.net>, Hackers freeBSD <freebsd-hackers@freebsd.org> Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> In-Reply-To: <CADWvR2gkLR2VLsUw_MRyLBaFmftP0WuJqR3_n1SpT_WEDRuL6w@mail.gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com> <CADWvR2iVubsBQjnvQ8mDGGS7ujsR8wPQ2RAxn=kvFkmVGQkXiQ@mail.gmail.com> <D2147761.1A53%xaol@amazon.com> <55EF4B65.8030905@delphij.net> <D5104DE1-F889-422E-8017-25B6555396F0@gmail.com> <CADWvR2gkLR2VLsUw_MRyLBaFmftP0WuJqR3_n1SpT_WEDRuL6w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Igor, I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being = tampered with by someone who has physically access to the disk. He might = put it on some other machine, add some malicious code or check the logs = stored in /var, and then put it back my machine, when the machine is = stayed in some public untrusted environment. When I regain the machine = from a public untrusted environment and boot the disk, some malicious = code might running and try to contaminate my own network or other = machines, or monitor my activities with the machine.=20 I hope I explained clearer this time :) Xiao > On Sep 8, 2015, at 3:09 PM, Igor Mozolevsky <igor@hybrid-lab.co.uk> = wrote: >=20 >=20 >=20 > On 8 September 2015 at 22:50, Analysiser <analysiser@gmail.com = <mailto:analysiser@gmail.com>> wrote: > Hi all, >=20 > Thank you so much for all the insights here! I think I is my bad not = to clarify the situation very well but still I found a lot of things I = could try from the replies. In my case I could not do remote passphrase = and and USB boot and/or USB hold key/passphrase since the device might = not always have internet access and no ports (internally or externally = are exposed). >=20 > I think your suggestions in separating the root filesystem and user = space applications and data and perform encryption only on user portion = is a more reasonable practice given the time scale on the project I=E2=80=99= m working on. Thanks again! >=20 > I still have some more detailed questions I=E2=80=99m seeking for an = answer related to the full startup disk encryption: >=20 >=20 > <snip> >=20 > I think you're worrying about the problem from the wrong end- what is = it that you're attempting to protect, I'm still unsure of that?.. >=20 >=20 > --=20 > Igor M.=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?74385D4D-48C7-4B5B-BF94-B99806C667EE>