Date: Fri, 29 Jul 2005 08:37:35 -0500 From: Eric Anderson <anderson@centtech.com> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: current@FreeBSD.org Subject: Re: GELI - disk encryption GEOM class committed. Message-ID: <42EA311F.1020902@centtech.com> In-Reply-To: <20050729133324.GL609@darkness.comp.waw.pl> References: <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch> <42E981B9.5060500@datacomm.ch> <20050729103655.GG609@darkness.comp.waw.pl> <42EA205B.2000907@cytexbg.com> <42EA2EFE.3030800@centtech.com> <20050729133324.GL609@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote: > On Fri, Jul 29, 2005 at 08:28:30AM -0500, Eric Anderson wrote: > +> Niki Denev wrote: > +> >Pawel Jakub Dawidek wrote: > +> > > +> Booting from Encrypted Root: > +> > > +> >>+> GELI - Works. How'd one load the kernel from an encrypted root > +> >>though? > +> >> > +> >>Kernel has to be loaded from a USB Pen-Drive or a CD-ROM. > +> >>You need to put /boot/ directory in there. GELI will ask for the > +> >>passphrase > +> >>before root file system is mounted. After that you can remove > +> >>Pen-Drive/CD-ROM. > +> >> > +> > > +> >Wouldn't it work if /boot is small separate unencrypted partition? > +> >( Well, there is the possibility that someone replaces your kernel > +> >with one with keylogger to catch your password next time you type it :)) > +> >I use this method for bootable RAID1+0 with GEOM's stripe and mirror, > +> >and it seems to work great. > +> > +> Maybe you could write up a quick howto on your setup, and post it/submit > +> it to the doc@ team. > > I'd prefer not to, as if you keep your kernel and modules decrypted, there > is no point to encrypt root file system. Hmm - is that really true? How can one decrypt the root partition data without the key, but with the kernel and modules? It seems that if that is a problem, than encrypting any partition without the kernel/modules encrypted would be the same scenario. I think there still is benefit in encrypting the root, but not /boot. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Anything that works is better than anything that doesn't. ------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42EA311F.1020902>