From owner-freebsd-questions@FreeBSD.ORG Thu Oct 25 15:56:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7438416A46B for ; Thu, 25 Oct 2007 15:56:48 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 062D813C4BF for ; Thu, 25 Oct 2007 15:56:47 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 21433 invoked by uid 1002); 25 Oct 2007 15:56:47 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.104.100):. Processed in 6.583507 secs); 25 Oct 2007 15:56:47 -0000 Received: from unknown (HELO ?192.168.30.110?) (steve@ibctech.ca@208.70.104.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 25 Oct 2007 15:56:40 -0000 Message-ID: <4720BCBC.9080800@ibctech.ca> Date: Thu, 25 Oct 2007 11:56:44 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <20071022174629.GA1118@garage.freebsd.pl> <1799.208.70.104.211.1193103682.squirrel@webmail.ibctech.ca> <20071024173858.GA1119@garage.freebsd.pl> In-Reply-To: <20071024173858.GA1119@garage.freebsd.pl> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Daniel Marsh , freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2007 15:56:48 -0000 Pawel Jakub Dawidek wrote: > On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote: >> Even if all data on a drive is encrypted, the partition table is not. >> Software based disk encryption works on partitions. > > That's not true. One can configure full disk encryption using GELI. To > do it you need to have a small USB pen-drive or CD-ROM with /boot/ > directory, but that's all you need. Then you actually boot from your > unencrypted pen-drive, but mount all file systems from encrypted disk. > The pen-drive is not needed for your system to run and you can be easly > take it with you, which is not always the case for your laptop. This is EXACTLY what I have now. Soon as the machine is booted, my thumb disk comes with me. The ONLY information on the thumb drive is /boot, a directory /keys and an /etc that has only an fstab (to mount the .eli partitions from the hard disk) and a loader.conf file to locate the keys. This was originally my objective and have got it in place. Now the machine is nearly upgraded to 7.0. Steve