harddrive encryption

[Chip Camden]

Quoth Roland Smith on Tuesday, 18 January 2011:
> On Mon, Jan 17, 2011 at 10:05:53PM -0700, Modulok wrote:
> > On 1/17/11, Roland Smith <rsmith at xs4all.nl> wrote:
> > > On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote:
> > >> Hi,
> > >>
> > >> is it possible to encrypt my full harddrive (excluding /boot) during a
> > >> freebsd installation. Or do I have to do this after the installation
> > >> manually?
> > >
> > > Currently you have to do it manually afterwards.
> > >
> > > Personally, I would not bother encrypting the OS data; there is nothing
> > > secret
> > > there, and it does have a performance impact. Plus it would provide ample
> > > material for a known-plaintext attack!
> > >
> > 
> > Modern ciphers such as AES are not susceptible to known plaintext
> > attacks.
> 
> That is indeed what it says on
> http://en.wikipedia.org/wiki/Known-plaintext_attack. But without any
> source or other justification. In this case, I'd say [citation needed]!
> 
> At one time Enigma and DES were regarded as unbreakable. :-) 
> 
> Roland
> -- 
> R.F.Smith                                   http://www.xs4all.nl/~rsmith/
> [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

It seems prudent to me to reduce the attack surface to that which really
needs to be defended -- "When you defend everything, you defend nothing".
Not to mention avoiding the overhead of encrypting OS files.

What do you folks think of the relative merits of AES vs Blowfish for
disk encryption?

-- 
Sterling (Chip) Camden | sterling at camdensoftware.com | 2048D/3A978E4F
http://chipsquips.com  | http://camdensoftware.com   | http://chipstips.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20110118/372bf910/attachment.pgp