Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Jul 2005 15:33:24 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Eric Anderson <anderson@centtech.com>
Cc:        Niki Denev <nike_d@cytexbg.com>, current@freebsd.org
Subject:   Re: GELI - disk encryption GEOM class committed.
Message-ID:  <20050729133324.GL609@darkness.comp.waw.pl>
In-Reply-To: <42EA2EFE.3030800@centtech.com>
References:  <20050728205413.GB762@darkness.comp.waw.pl> <42E95E08.80006@datacomm.ch> <42E981B9.5060500@datacomm.ch> <20050729103655.GG609@darkness.comp.waw.pl> <42EA205B.2000907@cytexbg.com> <42EA2EFE.3030800@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--qo7zVO9a9OQ5oQtr
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 29, 2005 at 08:28:30AM -0500, Eric Anderson wrote:
+> Niki Denev wrote:
+> >Pawel Jakub Dawidek wrote:
+> > > +> Booting from Encrypted Root:
+> >
+> >>+>   GELI - Works. How'd one load the kernel from an encrypted root=20
+> >>though?
+> >>
+> >>Kernel has to be loaded from a USB Pen-Drive or a CD-ROM.
+> >>You need to put /boot/ directory in there. GELI will ask for the=20
+> >>passphrase
+> >>before root file system is mounted. After that you can remove
+> >>Pen-Drive/CD-ROM.
+> >>
+> >
+> >Wouldn't it work if /boot is small separate unencrypted partition?
+> >( Well, there is the possibility that someone replaces your kernel
+> >with one with keylogger to catch your password next time you type it :))
+> >I use this method for bootable RAID1+0 with GEOM's stripe and mirror,
+> >and it seems to work great.
+>=20
+> Maybe you could write up a quick howto on your setup, and post it/submit=
=20
+> it to the doc@ team.

I'd prefer not to, as if you keep your kernel and modules decrypted, there
is no point to encrypt root file system.

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--qo7zVO9a9OQ5oQtr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFC6jAkForvXbEpPzQRAulLAJ0ePZk2E3CHurbUxLO6U8ouahnm5wCcDHY+
dWB3j0qyXvHlCtTHbDUbwQ8=
=gdSU
-----END PGP SIGNATURE-----

--qo7zVO9a9OQ5oQtr--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050729133324.GL609>