Date: Wed, 12 Mar 2008 01:20:02 GMT From: Volker <volker@vwsoft.com> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/80158: [gbde] [patch] [request] configuration option for specifing the GBDE passphrase. Message-ID: <200803120120.m2C1K2is089500@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/80158; it has been noted by GNATS. From: Volker <volker@vwsoft.com> To: bug-followup@FreeBSD.org, daved@tamu.edu Cc: Subject: Re: conf/80158: [gbde] [patch] [request] configuration option for specifing the GBDE passphrase. Date: Wed, 12 Mar 2008 02:17:32 +0100 David, while working on the backlog of problem reports, I came across your ticket. I'm sorry to tell, but I'm unable to go and look for a maintainer to take care about your report because importing this patch is a threat to the system security in general. Securing data laying around on a hard disk and putting the key for protecting the data eventually onto the same disk is really a bad idea. This is like putting the key for your car onto the drivers seat and leave your car unlocked. The idea to have the passphrase to decrypt the data of your hard disk being put into /etc/rc.conf might work for you if you're having a separate disk for the root-fs (where /etc is located) and another set of disks under control of gbde. But this is not a true for every system. Importing your patch into the base infrastructure might lead the not too experienced and not too security minded user into thinking, doing this is safe - which is of course wrong. So my view to your patch is, it may lead someone else into getting the feeling of using a secured (encrypted) system which is - on the other side - decryptable for anybody who has read access to the root-fs. I think this problem might be the case why this ticket hasn't been touched for years. Because I don't really see the chance to get this imported into the base system, I'm going to suspend this ticket so just for the case any of the maintainers might have a different view can grab and re-open this ticket. Of course you're welcome to disagree and file a followup to this ticket. If you agree and understand that the patch might possibly not being imported, you may also request to have that ticket being closed. I hope you understand the objection. Thanks a lot for your understanding!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803120120.m2C1K2is089500>