Date: Mon, 17 Jan 2011 23:53:09 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Alokat <mailing@alokat.org> Cc: freebsd-questions@freebsd.org Subject: Re: harddrive encryption Message-ID: <20110117225308.GA40523@slackbox.erewhon.net> In-Reply-To: <4D34A6EF.30600@alokat.org> References: <4D34A6EF.30600@alokat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote: > Hi, >=20 > is it possible to encrypt my full harddrive (excluding /boot) during a=20 > freebsd installation. Or do I have to do this after the installation=20 > manually? =20 Currently you have to do it manually afterwards.=20 Personally, I would not bother encrypting the OS data; there is nothing sec= ret there, and it does have a performance impact. Plus it would provide ample material for a known-plaintext attack! What you can do is set apart a partition during installation where you are going to store your data, be it /home, /var/www or whatever. After installation, encrypt that partition with geli(8), newfs it and put the name of the *.eli device in /etc/fstab. That should make the startup scripts ask for the passphrase. Do not rely on a keyfile that resides on a disk in the machine (that would make encryption futile)! Use a passphrase instead. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk00yFQACgkQEnfvsMMhpyWM+QCfaPMlciz8u0CT5mHqu21vzE5b 7LsAoKemTNrNyLSOOJmDYHRAIvpifKWc =eyr7 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110117225308.GA40523>