From owner-freebsd-hackers@freebsd.org Tue Sep 8 17:57:26 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89673A00C4B for ; Tue, 8 Sep 2015 17:57:26 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 15B251721 for ; Tue, 8 Sep 2015 17:57:25 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441735046; x=1473271046; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=kAvUOV2PRD47IPSCcO/wOD4ADufjZXeYtdoxEeZK20I=; b=voAroQs9MxIml83UFIFz6/JPb2D4Wrai74611ZEyQynjPjEks2W40q6w DAgjURn1XPLm+tMYWp9N9WGZ7q5wgJxdkqnwUOQN1VLOAp1mT4u7PCtHH xZjhTTtBdMschkgHvHDcYdeLsEd4/Rv0RP4X1cDMtkTj4dlFQ2JriKhb3 U=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="340886316" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-7005.iad7.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 17:57:18 +0000 Received: from ex10-hub-7002.ant.amazon.com (iad1-ws-svc-lb91-vlan2.amazon.com [10.0.103.146]) by email-inbound-relay-7005.iad7.amazon.com (8.14.7/8.14.7) with ESMTP id t88Hv3WG008014 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 17:57:18 GMT Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by ex10-hub-7002.ant.amazon.com (10.43.110.153) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 10:57:04 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB004.ant.amazon.com (10.43.161.121) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 17:57:03 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 17:57:03 +0000 From: "Li, Xiao" To: RW , "freebsd-hackers@freebsd.org" Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5s0A//+OrgA= Date: Tue, 8 Sep 2015 17:57:03 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <20150908184240.0c368300@gumby.homeunix.com> In-Reply-To: <20150908184240.0c368300@gumby.homeunix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.160.246] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <92B1E254B7AB084F83F10E290B89665C@ant.amazon.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:57:26 -0000 Thanks for the reply! My problem is: I trust the booted system since the boot process is protected by trusted gpt boot, and a randomly generated login password. My machine only allows remote ssh access. I=B9m trying to protect the machine if the it is lost or intercepted and the attacker is trying to gain access to the files and data on the boot disk of it by attaching the boot disk to another system. I found a thread here and I have the same questions with the OP:http://serverfault.com/questions/412857/freebsd-encryption-concept-autom atic-boot-without-password-or-key-when-mounted?newreg=3D8066eff445b44f8f85b= 2a 7092f92b29f But since I=B9m using TPM I=B9m wondering if I could store the key or passphrase in TPM to achieve the automatic boot without manual interaction. Thanks again! Xiao On 9/8/15, 10:42 AM, "owner-freebsd-hackers@freebsd.org on behalf of freebsd-hackers@freebsd.org" wrote: >On Tue, 8 Sep 2015 10:22:21 -0700 >Analysiser wrote: > >> Hi, >>=20 >> I?m trying to perform a whole disk encryption for my boot drive to >> protect its data at rest. However I would like to have a mac OS X-ish >> full disk encryption that does not explicitly ask for a passphrase >> and would boot as normal without manual input of passphrase. I tried >> to do it with geli(8) but it seems there is no way I can avoid the >> manual interaction. Really curious if there is a way to achieve it? > >What exactly do you want to do? Without some form of manual interaction >disk encryption is pointless. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"