Date: Tue, 8 Sep 2015 18:14:28 +0000 From: "Li, Xiao" <xaol@amazon.com> To: Igor Mozolevsky <igor@hybrid-lab.co.uk>, Analysiser <analysiser@gmail.com> Cc: Hackers freeBSD <freebsd-hackers@freebsd.org> Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <D214715D.1A32%xaol@amazon.com> In-Reply-To: <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <CADWvR2iv7xz02Fw9b=159%2BSMuphQGRKZsfyy9DDeqGMxn=p1BA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Igor, Thanks for the suggestion! I=B9m trying to achieve that the data could only be accessed in a trusted booted system and cannot be decrypted when the startup disk is a cold storage device. Something like FileVault on Mac OS X (https://support.apple.com/en-us/HT204837). I admit the protocol is broken. Like in geli, there have to be an unencrypted /boot partition to load kernel, and the rest of the OS is on an encrypted large storage partition. I=B9m thinking if I could make it passwordless then the passphrase or the key have to be stored on the unencrypted partition which would definitely break the security protocol, therefore I=B9m wondering if the passphrase or the key could be protected i= n the non volatile memory of some firmwares like TPM and could be retrieved only in known system status=8A Thanks again! Xiao On 9/8/15, 10:44 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor Mozolevsky" <owner-freebsd-hackers@freebsd.org on behalf of igor@hybrid-lab.co.uk> wrote: >On 8 September 2015 at 18:22, Analysiser <analysiser@gmail.com> wrote: > >I=B9m trying to perform a whole disk encryption for my boot drive to prote= ct >> its data at rest. However I would like to have a mac OS X-ish full disk >> encryption that does not explicitly ask for a passphrase and would boot >>as >> normal without manual input of passphrase. I tried to do it with geli(8) >> but it seems there is no way I can avoid the manual interaction. Really >> curious if there is a way to achieve it? Thanks! >> > > >Do you mean like DVD "encryption'? If you are able to decrypt the contents >of the disk without something that only the person in front for the >computer either has or knows then *anyone* would be able to decrypt it. > >What is the actual problem you're trying to solve? Remember that >encryption >is just a tool and not a solution- you need a good security protocol that >will protect your data, and by the sound of it the protocol you propose >(self-decrypting drive) is just broken. > > >--=20 >Igor M. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D214715D.1A32%xaol>