Date: Thu, 11 Oct 2007 12:31:42 -0400 From: Steve Bertrand <iaccounts@ibctech.ca> To: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <470E4FEE.1000201@ibctech.ca> In-Reply-To: <20071010210910.GA15103@slackbox.xs4all.nl> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <470D1B28.9050308@ibctech.ca> <20071010210910.GA15103@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> As you can see only /home is encrypted because the rest doesn't hold >>> data worth encrypting. >> Well, on mine it will. > > I was talking about my system. Yours will of course be different. :-) I know. I was not trying to be sarcastic in any way. Sorry if it seemed that way :) > You can even encrypt /tmp with a one-time key (see 'geli onetime'). I will likely do this with /tmp and swap. > Also have a look at the geli_* variables in /etc/defaults/rc.conf. Will do. > It only needs to be present during creation of the GELI devices (geli > attach). The rc scripts know they have to load GELI and attach the > devices if they see an .eli device in /etc/fstab. Geli will ask for the > passphrase(s) during boot-up if you're using them. You can specify which > key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf > > However using a USB device presents it's own problems. If you plug-in a > USB stick there's no telling which device node it ends up with, > depending on how many other USB devices are on the bus. To make device > recognition easier, you should use a GEOM label on the USB stick, so > you'll know which /dev/label/* device node it gets. And you'd probably > have to hack an rc script to mount the USB stick _before_ the system > tries to attach the GELI device(s). Getting around these issues is trivial. The only requirement is that my thumbdrive comes with me after the machine is reloaded. > And remember that this USB stick is another thing you have to back-up > and store in a safe place. It would be bad if you lost your data because > your USB stick died or got lost. Understood. This has been considered, and it's exactly what I do with my TrueCrypt encrypted information on my Windows workstation. Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?470E4FEE.1000201>