Date: Wed, 9 Sep 2015 11:56:38 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <74e08b7d.41e63923@fabiankeil.de> In-Reply-To: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> <D214715D.1A32%xaol@amazon.com> <CADWvR2iVubsBQjnvQ8mDGGS7ujsR8wPQ2RAxn=kvFkmVGQkXiQ@mail.gmail.com> <D2147761.1A53%xaol@amazon.com> <55EF4B65.8030905@delphij.net> <D5104DE1-F889-422E-8017-25B6555396F0@gmail.com> <CADWvR2gkLR2VLsUw_MRyLBaFmftP0WuJqR3_n1SpT_WEDRuL6w@mail.gmail.com> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Analysiser <analysiser@gmail.com> wrote: > I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being t= ampered with > by someone who has physically access to the disk. He might put it on some > other machine, add some malicious code or check the logs stored in /var, > and then put it back my machine, when the machine is stayed in some public > untrusted environment. When I regain the machine from a public untrusted > environment and boot the disk, some malicious code might running and try > to contaminate my own network or other machines, or monitor my activities > with the machine.=20 You can boot the system using an encrypted root pool by putting a geli keyfile and essential parts of the kernel on an unencrypted boot pool that is destroyed and overwritten once the system has booted. I do that with ElectroBSD but it works on vanilla FreeBSD as well. It's not perfect, but depending on your threat model it may be good enough: https://www.fabiankeil.de/gehacktes/electrobsd/#fde https://www.fabiankeil.de/gehacktes/cloudiatr/ Fabian --Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXwAlYACgkQBYqIVf93VJ1WsgCfVXm5UPPCbsMBos2SnyCeEr4a grsAn2aEJj6MFOHJ05PcT3hLvE5gsOwz =PKpT -----END PGP SIGNATURE----- --Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?74e08b7d.41e63923>