From owner-freebsd-current@FreeBSD.ORG Fri Jul 29 13:37:42 2005 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E42016A420; Fri, 29 Jul 2005 13:37:42 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from mh1.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0339C43D46; Fri, 29 Jul 2005 13:37:41 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [10.177.171.220] (neutrino.centtech.com [10.177.171.220]) by mh1.centtech.com (8.13.1/8.13.1) with ESMTP id j6TDbfS3007074; Fri, 29 Jul 2005 08:37:41 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <42EA311F.1020902@centtech.com> Date: Fri, 29 Jul 2005 08:37:35 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050603 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch> <42E981B9.5060500@datacomm.ch> <20050729103655.GG609@darkness.comp.waw.pl> <42EA205B.2000907@cytexbg.com> <42EA2EFE.3030800@centtech.com> <20050729133324.GL609@darkness.comp.waw.pl> In-Reply-To: <20050729133324.GL609@darkness.comp.waw.pl> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.82/997/Fri Jul 29 03:07:29 2005 on mh1.centtech.com X-Virus-Status: Clean Cc: current@FreeBSD.org Subject: Re: GELI - disk encryption GEOM class committed. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 13:37:42 -0000 Pawel Jakub Dawidek wrote: > On Fri, Jul 29, 2005 at 08:28:30AM -0500, Eric Anderson wrote: > +> Niki Denev wrote: > +> >Pawel Jakub Dawidek wrote: > +> > > +> Booting from Encrypted Root: > +> > > +> >>+> GELI - Works. How'd one load the kernel from an encrypted root > +> >>though? > +> >> > +> >>Kernel has to be loaded from a USB Pen-Drive or a CD-ROM. > +> >>You need to put /boot/ directory in there. GELI will ask for the > +> >>passphrase > +> >>before root file system is mounted. After that you can remove > +> >>Pen-Drive/CD-ROM. > +> >> > +> > > +> >Wouldn't it work if /boot is small separate unencrypted partition? > +> >( Well, there is the possibility that someone replaces your kernel > +> >with one with keylogger to catch your password next time you type it :)) > +> >I use this method for bootable RAID1+0 with GEOM's stripe and mirror, > +> >and it seems to work great. > +> > +> Maybe you could write up a quick howto on your setup, and post it/submit > +> it to the doc@ team. > > I'd prefer not to, as if you keep your kernel and modules decrypted, there > is no point to encrypt root file system. Hmm - is that really true? How can one decrypt the root partition data without the key, but with the kernel and modules? It seems that if that is a problem, than encrypting any partition without the kernel/modules encrypted would be the same scenario. I think there still is benefit in encrypting the root, but not /boot. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Anything that works is better than anything that doesn't. ------------------------------------------------------------------------