Date: Wed, 10 Oct 2007 23:09:10 +0200 From: Roland Smith <rsmith@xs4all.nl> To: Steve Bertrand <iaccounts@ibctech.ca> Cc: freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <20071010210910.GA15103@slackbox.xs4all.nl> In-Reply-To: <470D1B28.9050308@ibctech.ca> References: <470CCDE2.9090603@ibctech.ca> <20071010175349.GB9770@slackbox.xs4all.nl> <470D1B28.9050308@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote: > > Put all the data that really needs to be encrypted on a separate slice, > > and encrypt that. Leave the rest unencrypted, especially /boot. As a > > rule of thumb; don't bother encrypting anything that you can just > > download from the internet. :-) >=20 > Fair enough, this makes sense. Thank you. >=20 > > As you can see only /home is encrypted because the rest doesn't hold > > data worth encrypting. >=20 > Well, on mine it will. I was talking about my system. Yours will of course be different. :-) =20 > > If you encrypted / and /usr, you might actually make the system more > > vulnerable to a known-plaintext attack, because there are a lot of files > > with well-known contents there. >=20 > I can get away with not having / encrypted, but I need /var encrypted > for databases and logs etc, /tmp so any temporary files are secured and > the swap file (swap very rarely gets used). You can even encrypt /tmp with a one-time key (see 'geli onetime'). =20 Also have a look at the geli_* variables in /etc/defaults/rc.conf. > So, I will test it as you suggested, however, would it be possible to > still house my key on a removable USB stick, and after the slices are > mounted into the file system successfully to then unmount and remove the > USB drive and have the box remain in operation, or does the key need to > be accessed throughout all disk reads/writes? It only needs to be present during creation of the GELI devices (geli attach). The rc scripts know they have to load GELI and attach the devices if they see an .eli device in /etc/fstab. Geli will ask for the passphrase(s) during boot-up if you're using them. You can specify which key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf However using a USB device presents it's own problems. If you plug-in a USB stick there's no telling which device node it ends up with, depending on how many other USB devices are on the bus. To make device recognition easier, you should use a GEOM label on the USB stick, so you'll know which /dev/label/* device node it gets. And you'd probably have to hack an rc script to mount the USB stick _before_ the system tries to attach the GELI device(s). > Essentially, I'd like it so that if the box reboots while I am gone, or > if I want to reboot it remotely there is theoretically no way for > someone at the console to re-mount the encrypted slices? Well, if you don't know the passphrase during boot-up (you get 3 tries), the geli devices will not be created and mounting the slices depending on them will fail. so you don't _need_ a keyfile for that. And remember that this USB stick is another thing you have to back-up and store in a safe place. It would be bad if you lost your data because your USB stick died or got lost. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHDT92EnfvsMMhpyURAr+FAJ46V7gSpk0jdmMGXlQWiRbLRIi+6gCeOHAp nUuRBYvQ7ZS7Hfs4LMZq/b4= =9zoG -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071010210910.GA15103>