Booting a GELI encrypted hard disk

Pawel Jakub Dawidek pjd at FreeBSD.org
Wed Oct 24 10:40:29 PDT 2007 

On Thu, Oct 25, 2007 at 12:46:53AM +0800, Daniel Marsh wrote:
> Even if all data on a drive is encrypted, the partition table is not.
> Software based disk encryption works on partitions.

That's not true. One can configure full disk encryption using GELI. To
do it you need to have a small USB pen-drive or CD-ROM with /boot/
directory, but that's all you need. Then you actually boot from your
unencrypted pen-drive, but mount all file systems from encrypted disk.
The pen-drive is not needed for your system to run and you can be easly
take it with you, which is not always the case for your laptop.

> How far into the boot sequence do you get before your system crashes without
> the key present?
> I would assume as far as reading the / partition to get the kernel etc...
> 
> It would have read the partition table and the boot loader, known which
> partition was the "active" partition and tried booting it.
> 
> Now, to identify what OS this disk has on it you can check the partition
> table and see what "type" has been set for each slice/partition.
> You will be able to see that there is a BSD style slice on the disk just by
> running `fdisk /dev/mystolendiskdevice`
> You now know it's a BSD OS, you could then make a guess as to what version
> of BSD by the type of machine it was taken from, based on what hardware is
> supported by each BSD.
> 
> I believe their slices and layout are identical but the file systems differ.
> 
> The person with your disk could then start trying to determine what kind of
> disk encryption is in place.

That's all irrelevant. Security of GELI (or any sane cryptographic
system) doesn't depend on secrecy of algorithms used.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071024/730e38e3/attachment.pgp

More information about the freebsd-questions mailing list