From owner-freebsd-questions@FreeBSD.ORG Thu Oct 11 16:31:26 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B57116A41A for ; Thu, 11 Oct 2007 16:31:26 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 053A413C47E for ; Thu, 11 Oct 2007 16:31:25 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 53111 invoked by uid 1002); 11 Oct 2007 16:31:25 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 11.379191 secs); 11 Oct 2007 16:31:25 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 11 Oct 2007 16:31:13 -0000 Message-ID: <470E4FEE.1000201@ibctech.ca> Date: Thu, 11 Oct 2007 12:31:42 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <470D1B28.9050308@ibctech.ca> <20071010210910.GA15103@slackbox.xs4all.nl> In-Reply-To: <20071010210910.GA15103@slackbox.xs4all.nl> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Booting a GELI encrypted hard disk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2007 16:31:26 -0000 >>> As you can see only /home is encrypted because the rest doesn't hold >>> data worth encrypting. >> Well, on mine it will. > > I was talking about my system. Yours will of course be different. :-) I know. I was not trying to be sarcastic in any way. Sorry if it seemed that way :) > You can even encrypt /tmp with a one-time key (see 'geli onetime'). I will likely do this with /tmp and swap. > Also have a look at the geli_* variables in /etc/defaults/rc.conf. Will do. > It only needs to be present during creation of the GELI devices (geli > attach). The rc scripts know they have to load GELI and attach the > devices if they see an .eli device in /etc/fstab. Geli will ask for the > passphrase(s) during boot-up if you're using them. You can specify which > key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf > > However using a USB device presents it's own problems. If you plug-in a > USB stick there's no telling which device node it ends up with, > depending on how many other USB devices are on the bus. To make device > recognition easier, you should use a GEOM label on the USB stick, so > you'll know which /dev/label/* device node it gets. And you'd probably > have to hack an rc script to mount the USB stick _before_ the system > tries to attach the GELI device(s). Getting around these issues is trivial. The only requirement is that my thumbdrive comes with me after the machine is reloaded. > And remember that this USB stick is another thing you have to back-up > and store in a safe place. It would be bad if you lost your data because > your USB stick died or got lost. Understood. This has been considered, and it's exactly what I do with my TrueCrypt encrypted information on my Windows workstation. Steve