Date: Wed, 10 Oct 2007 23:37:55 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: Fabian Keil <freebsd-listen@fabiankeil.de>, freebsd-questions@freebsd.org Subject: Re: Booting a GELI encrypted hard disk Message-ID: <200710102337.57373.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <20071010211701.GB15103@slackbox.xs4all.nl> References: <470CCDE2.9090603@ibctech.ca> <20071010201838.23fa7c2f@fabiankeil.de> <20071010211701.GB15103@slackbox.xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 10 October 2007 23:17:01 Roland Smith wrote: > On Wed, Oct 10, 2007 at 08:18:38PM +0200, Fabian Keil wrote: > > Roland Smith <rsmith@xs4all.nl> wrote: > > > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: > > > > I am voraciously attempting to get a FreeBSD system to boot from a > > > > GELI encrypted hard disk, but am having problems. > > > > > > You don't need to encrypt the whole harddisk. You can encrypt separate > > > slices. There is no need to encrypt stuff like / or /usr; what is there > > > that needs to be kept secret? > > > > Encryption isn't only useful for private data, > > it also reduces the risk of third parties replacing > > your binaries with Trojans while your away. > > If that someone can replace binaries on a running system, you're box has > been h4x0red and you're screwed anyway. Doubly so if your encrypted > filesystem was mounted at the time. :-) I think the case he's describing, is that one can remove the harddisk, mount it as secondary drive, replace system binaries with keylogging enabled binaries and then put it back. You won't notice this till you read daily security report in a default system. > It's easy enough to make a list of SHA256 checksums of all binaries and > store that on the encrypted partition, so you can check the binaries any > time you want. Like sysutils/tripwire. Even if the system doesn't let you boot if system binaries have changed, the damage is probably done already because the geli passphrase binary logged your passphrase. It's questionable though, whether you should leave your computer in an environment where this can happen undetected and probably better solved by increasing real life security. -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710102337.57373.fbsd.questions>