Date: Fri, 8 Jun 2007 07:16:44 -0500 From: Eric Crist <mnslinky@gmail.com> To: cpghost <cpghost@cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: GEOM/GELI Boot Disk Encryption Message-ID: <191E5B74-1CED-44B7-8DEA-9BEB4741FC5D@gmail.com> In-Reply-To: <20070607145431.GA65146@epia-2.farid-hajji.net> References: <905f1be0706060528p3217f614he29a7d4b33ac01dc@mail.gmail.com> <20070606170044.GA59161@slackbox.xs4all.nl> <20070607145431.GA65146@epia-2.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 7, 2007, at 9:54 AMJun 7, 2007, cpghost wrote: > On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: > You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, > and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in > addition to /home. Most userland programs can leak sensitive date > there > that you'd rather have encrypted too. > > Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, > /var/db/mysql, mail spool directories and some such), and maybe > /var/log as well. Encrypting the complete /var filesystem is > easier though... Some ports also use /usr/local/www to store > user-specific data, but what's the point of encrypting this? ;-) > > Regards, > -cpghost. So, back to encrypting my entire disk, I just need to put the boot partition on its own slice? There's all the bits available to start up the decryption stuff after that loads, so I can make my entire system, swap and all, encrypted, right? Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?191E5B74-1CED-44B7-8DEA-9BEB4741FC5D>