GELI - FreeBSD Full Disk Encryption

Network Security SecurityAdmin at hush.com
Wed Sep 6 15:26:05 PDT 2006 

GELI  even  properly  installed  has  some  security problems, so I've
linked  to  a FreeBSD Full Disk Encryption Howto video.. Maybe it will
save  somebody from loosing their entire file system.

It's  about  an  hour  long and covers GELI and GBDE and can be viewed
(Courtesy         of         Google         Video)        here:
http://www.zuit.net/freebsd-disk-encryption-video.html 

-Brian

Brian J. Brandon
Network Security Consultant
Los Angeles, California
SecurityAdmin at Hush.com
Tel. No. 866.395.1039



Wednesday, September 6, 2006, 2:28:20 PM, you wrote:


You are a complete madman. You want to protect your data with a key stored 
on the most completely and utterly unreliable form of data storage still 
lamentably in use? Its not the 1970's anymore, get a real data storage 
medium!

Get a usb flash drive, from there its a simple matter of changing the geli 
script to mount a specific usb device before starting. Look in 
/etc/rc.d/geli and geli2. I'd put your mounting and checks between the 
kldstat and the "if [ -z" in the geli_start() sub.

You'll want to then use "geli -K" to input your key material, so you'll 
want to make sure your device is present, and that it has the expected key 
filename on it. You could also use dd and dump the first n sectors to 
stdout and pipe that into your geli command.

Seems like quite a waste if you don't intend to use a passphrase.

  On Wed, 6 Sep 2006, Frank Steinborn wrote:

> Hello,
>
> i want to encrypt my HDD's with GELI (not the root-fs, though). I want
> to do the encryption without password, just with a key. The key should
> be stored in a floppy disk, and the read should be read automatically
> on boot, from the floppy.
>
> There is a problem here, because GELI initializes _before_ mounting
> the disks from /etc/fstab (for obvious reasons, of course). So GELI is
> not able to get the keys from the floppy and fails.
>
> So, any hints how I could get the floppy mounted _before_ GELI tries
> to initialize?
>
> Thanks in advance,
> Frank
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list