From owner-freebsd-questions@FreeBSD.ORG Tue Jan 18 05:05:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBC91106564A for ; Tue, 18 Jan 2011 05:05:54 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from mail-wy0-f196.google.com (mail-wy0-f196.google.com [74.125.82.196]) by mx1.freebsd.org (Postfix) with ESMTP id 83AD98FC12 for ; Tue, 18 Jan 2011 05:05:54 +0000 (UTC) Received: by wyb40 with SMTP id 40so2083881wyb.7 for ; Mon, 17 Jan 2011 21:05:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zHJ+XS47Rm0MwxLQE0VCVZyyRDNl0NbkKL6xObQ+zd8=; b=X3H2R4s8jkSQ2G+lc0dbdfCq5c4Cp8xyR77ZDvLlAodmbHMJavgR0OoIcEwjzNksHQ GYvPIMEy2zaZrP6IOqbyN51Pgtd6SrnoZVVnY2AxMhwiYlHb90DGHSA1T2thE/c4Ad+U pkMpYu8RO+JN9rBdo7J5mvbC4kPEIcrmO63C4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=X8ub9OTBRIqvPvX6FDWqRDyYTO4wjmJfCaKLXOjC4MVC17XWoqxVt/w1/RfVuMxa/S SZd5sYFO1TkOlCkTAXeOBGFvxbXi8I46VRjFAEsX3IueoltoQiiWois/7jK+1aGcpIHR ky/PYoM+22UG9py30sKQthjHbypPbc0OTSbG4= MIME-Version: 1.0 Received: by 10.227.133.16 with SMTP id d16mr1585258wbt.145.1295327153456; Mon, 17 Jan 2011 21:05:53 -0800 (PST) Received: by 10.227.20.73 with HTTP; Mon, 17 Jan 2011 21:05:53 -0800 (PST) In-Reply-To: <20110117225308.GA40523@slackbox.erewhon.net> References: <4D34A6EF.30600@alokat.org> <20110117225308.GA40523@slackbox.erewhon.net> Date: Mon, 17 Jan 2011 22:05:53 -0700 Message-ID: From: Modulok To: Roland Smith Content-Type: text/plain; charset=ISO-8859-1 Cc: Alokat , freebsd-questions@freebsd.org Subject: Re: harddrive encryption X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2011 05:05:55 -0000 On 1/17/11, Roland Smith wrote: > On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote: >> Hi, >> >> is it possible to encrypt my full harddrive (excluding /boot) during a >> freebsd installation. Or do I have to do this after the installation >> manually? > > Currently you have to do it manually afterwards. > > Personally, I would not bother encrypting the OS data; there is nothing > secret > there, and it does have a performance impact. Plus it would provide ample > material for a known-plaintext attack! > Modern ciphers such as AES are not susceptible to known plaintext attacks. The advantage to full disk encryption, including operating system data, is that nothing is ever accidently missed. The hard drive can safely be thrown out when it fails or is decomissioned, with no worry that some temporary file or database somewhere you forgot about, wasn't on the right partition. Regardless, these are only offline protections from physical theft for low to moderately motivated attackers. If you had a database of medical or financial records, disk encryption is probably a good thing. Otherwise http://xkcd.com/538/ The real danger, is loss or corruption of the decryption keys. Make backups! -Modulok-