From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 18 16:10:46 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EF1371065672
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Jan 2011 16:10:45 +0000 (UTC)
	(envelope-from chip.camden@gmail.com)
Received: from wh2.interactivevillages.com (wh2.interactivevillages.com
	[75.125.250.34])
	by mx1.freebsd.org (Postfix) with ESMTP id B545E8FC13
	for <freebsd-questions@freebsd.org>;
	Tue, 18 Jan 2011 16:10:45 +0000 (UTC)
Received: from c-24-22-230-24.hsd1.wa.comcast.net ([24.22.230.24]
	helo=_HOSTNAME_)
	by wh2.interactivevillages.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.69) (envelope-from <chip.camden@gmail.com>)
	id 1PfE8n-0007bF-BF
	for freebsd-questions@freebsd.org; Tue, 18 Jan 2011 08:10:42 -0800
Received: by _HOSTNAME_ (sSMTP sendmail emulation);
	Tue, 18 Jan 2011 08:10:40 -0800
Date: Tue, 18 Jan 2011 08:10:40 -0800
From: Chip Camden <chip.camden@gmail.com>
To: freebsd-questions@freebsd.org
Message-ID: <20110118161040.GC76347@libertas.local.camdensoftware.com>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <4D34A6EF.30600@alokat.org>
	<20110117225308.GA40523@slackbox.erewhon.net>
	<AANLkTinruOxi_1FFDZzfhSojk1u+_XfGsJkDiSbMOuMW@mail.gmail.com>
	<20110118070719.GA51692@slackbox.erewhon.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="7qSK/uQB79J36Y4o"
Content-Disposition: inline
In-Reply-To: <20110118070719.GA51692@slackbox.erewhon.net>
User-Agent: Mutt/1.4.2.3i
Company: Camden Software Consulting
URL: http://camdensoftware.com
X-PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=0xD6DBAF91
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - wh2.interactivevillages.com
X-AntiAbuse: Original Domain - freebsd.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
Subject: Re: harddrive encryption
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2011 16:10:46 -0000


--7qSK/uQB79J36Y4o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Quoth Roland Smith on Tuesday, 18 January 2011:
> On Mon, Jan 17, 2011 at 10:05:53PM -0700, Modulok wrote:
> > On 1/17/11, Roland Smith <rsmith@xs4all.nl> wrote:
> > > On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote:
> > >> Hi,
> > >>
> > >> is it possible to encrypt my full harddrive (excluding /boot) during=
 a
> > >> freebsd installation. Or do I have to do this after the installation
> > >> manually?
> > >
> > > Currently you have to do it manually afterwards.
> > >
> > > Personally, I would not bother encrypting the OS data; there is nothi=
ng
> > > secret
> > > there, and it does have a performance impact. Plus it would provide a=
mple
> > > material for a known-plaintext attack!
> > >
> >=20
> > Modern ciphers such as AES are not susceptible to known plaintext
> > attacks.
>=20
> That is indeed what it says on
> http://en.wikipedia.org/wiki/Known-plaintext_attack. But without any
> source or other justification. In this case, I'd say [citation needed]!
>=20
> At one time Enigma and DES were regarded as unbreakable. :-)=20
>=20
> Roland
> --=20
> R.F.Smith                                   http://www.xs4all.nl/~rsmith/
> [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

It seems prudent to me to reduce the attack surface to that which really
needs to be defended -- "When you defend everything, you defend nothing".
Not to mention avoiding the overhead of encrypting OS files.

What do you folks think of the relative merits of AES vs Blowfish for
disk encryption?

--=20
Sterling (Chip) Camden | sterling@camdensoftware.com | 2048D/3A978E4F
http://chipsquips.com  | http://camdensoftware.com   | http://chipstips.com

--7qSK/uQB79J36Y4o
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iQEcBAEBAgAGBQJNNbuAAAoJEIpckszW26+Rih8H/0+xqu+TUVyLRWp9a1kcIxNz
U0FySq5DrJ5rlKXsFoh17j68NbeR1Gnt+Bng0qiM7VvOcuJephjckO97sInB3aZk
FQL0uCye64hQkn6ooYob/muVHPkrwSH3MWRY0hJe8PzUtTFhCGdH4hLIx7JShDWR
emwt2mPER+NgmAcVQ8zkgn57dy/vRnqJk91GC+m/Uas+MZNTlB4lJVy15tBulCuE
dV7FnauLIkV4Yj9x5giy+RRG4S14GUU6yzhTTIG4/nMNmqGyAQd5YNHJT2jJ+16A
cRfD1kKzoDkqgD87P5cuKFkwIIQ9kysnQ9dopHpbjfiRAKJU/k2Xfes7iKccC6Q=
=pXr0
-----END PGP SIGNATURE-----

--7qSK/uQB79J36Y4o--