disk label and geli encrypted slice
temp0607 at mail.securge.net
Sun Jun 22 19:41:36 UTC 2008
I'm using geli on laptop PC with only one HDD. Disk is divided into two
slices, ad0s1 and ad0s2. Second slice (ad0s2) is encrypted with GEOM ELI
using two-factor authentication - passphrase plus keyfile on USB drive.
FreeBSD is installed on ad0s2.eli and first slice is not used by this
system so let's say that I've got a full disk encryption.
Now my question - is it safe to keep backup of encrypted disk's label
(dump of bsdlabel /dev/ad0s2.eli) on the same USB drive with keyfile?
Information about partitions itself is not important for me, I don't
feel like I have to keep it secret, but is it any advantage to attacker
if she get her hands not only on keyfile but also on unencrypted BSD
label and then gain access to still encrypted media?
I'm deliberately omitting the fact that in this scenario attacker has
access to unencrypted kernel or /boot directory on USB drive so he could
trojan it or do other nasty things to obtain my passphrase later.
"I do not fear computers. I fear the lack of them." -Isaac Asimov
More information about the freebsd-security