Geli questions.. ponderings..
Steve Brown
sdbrown at annular.org
Wed Aug 23 23:07:16 UTC 2006
> The idea: I'd like to use geli to encrypt *everything* on the disk. So
> if someone (a competitor maybe) removes the disk from the machine, he
> can't gain any data off of it easily. I know nothing is 100%, but why
> make the process easy for him?
It seems like there is a more basic problem here than automating key
downloading. If the end-user can boot up the box, then they have an
opportunity to interfere with the boot process. The code providing
instructions to fetch a remote key would have to be in the clear, in
which case the competitor could just use that code to get the remote key
(since it would do so automatically on boot, I assume you're not
requiring the client to call you for key authorization every time?) and
then access the disk.
The problem is wanting to automate the decryption process, I think.
Steve B.
More information about the freebsd-questions
mailing list