From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 22:53:11 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC9001065673 for ; Mon, 17 Jan 2011 22:53:11 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr9.xs4all.nl (smtp-vbr9.xs4all.nl [194.109.24.29]) by mx1.freebsd.org (Postfix) with ESMTP id 748468FC14 for ; Mon, 17 Jan 2011 22:53:11 +0000 (UTC) Received: from slackbox.erewhon.net (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr9.xs4all.nl (8.13.8/8.13.8) with ESMTP id p0HMr9bh005849; Mon, 17 Jan 2011 23:53:09 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.net (Postfix, from userid 1001) id 2D314BAAA; Mon, 17 Jan 2011 23:53:09 +0100 (CET) Date: Mon, 17 Jan 2011 23:53:09 +0100 From: Roland Smith To: Alokat Message-ID: <20110117225308.GA40523@slackbox.erewhon.net> References: <4D34A6EF.30600@alokat.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: <4D34A6EF.30600@alokat.org> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: harddrive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2011 22:53:11 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote: > Hi, >=20 > is it possible to encrypt my full harddrive (excluding /boot) during a=20 > freebsd installation. Or do I have to do this after the installation=20 > manually? =20 Currently you have to do it manually afterwards.=20 Personally, I would not bother encrypting the OS data; there is nothing sec= ret there, and it does have a performance impact. Plus it would provide ample material for a known-plaintext attack! What you can do is set apart a partition during installation where you are going to store your data, be it /home, /var/www or whatever. After installation, encrypt that partition with geli(8), newfs it and put the name of the *.eli device in /etc/fstab. That should make the startup scripts ask for the passphrase. Do not rely on a keyfile that resides on a disk in the machine (that would make encryption futile)! Use a passphrase instead. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk00yFQACgkQEnfvsMMhpyWM+QCfaPMlciz8u0CT5mHqu21vzE5b 7LsAoKemTNrNyLSOOJmDYHRAIvpifKWc =eyr7 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--