Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Jul 2005 08:37:35 -0500
From:      Eric Anderson <anderson@centtech.com>
To:        Pawel Jakub Dawidek <pjd@FreeBSD.org>
Cc:        current@FreeBSD.org
Subject:   Re: GELI - disk encryption GEOM class committed.
Message-ID:  <42EA311F.1020902@centtech.com>
In-Reply-To: <20050729133324.GL609@darkness.comp.waw.pl>
References:  <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch> <42E981B9.5060500@datacomm.ch> <20050729103655.GG609@darkness.comp.waw.pl> <42EA205B.2000907@cytexbg.com> <42EA2EFE.3030800@centtech.com> <20050729133324.GL609@darkness.comp.waw.pl>

next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote:
> On Fri, Jul 29, 2005 at 08:28:30AM -0500, Eric Anderson wrote:
> +> Niki Denev wrote:
> +> >Pawel Jakub Dawidek wrote:
> +> > > +> Booting from Encrypted Root:
> +> >
> +> >>+>   GELI - Works. How'd one load the kernel from an encrypted root 
> +> >>though?
> +> >>
> +> >>Kernel has to be loaded from a USB Pen-Drive or a CD-ROM.
> +> >>You need to put /boot/ directory in there. GELI will ask for the 
> +> >>passphrase
> +> >>before root file system is mounted. After that you can remove
> +> >>Pen-Drive/CD-ROM.
> +> >>
> +> >
> +> >Wouldn't it work if /boot is small separate unencrypted partition?
> +> >( Well, there is the possibility that someone replaces your kernel
> +> >with one with keylogger to catch your password next time you type it :))
> +> >I use this method for bootable RAID1+0 with GEOM's stripe and mirror,
> +> >and it seems to work great.
> +> 
> +> Maybe you could write up a quick howto on your setup, and post it/submit 
> +> it to the doc@ team.
> 
> I'd prefer not to, as if you keep your kernel and modules decrypted, there
> is no point to encrypt root file system.

Hmm - is that really true?  How can one decrypt the root partition data 
without the key, but with the kernel and modules?  It seems that if that 
is a problem, than encrypting any partition without the kernel/modules 
encrypted would be the same scenario.

I think there still is benefit in encrypting the root, but not /boot.

Eric



-- 
------------------------------------------------------------------------
Eric Anderson        Sr. Systems Administrator        Centaur Technology
Anything that works is better than anything that doesn't.
------------------------------------------------------------------------



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42EA311F.1020902>