FreeBSD Security in Multiuser Environments

Pawel Jakub Dawidek pjd at
Sun Apr 1 21:06:00 UTC 2012

On Sun, Apr 01, 2012 at 10:49:31AM +0200, Dag-Erling Smørgrav wrote:
> schultz at writes:
> >   * Encrypted the whole (except /boot) system with geli(8)
> >     (HMAC/SHA256 and AES-XTS). It is not as nice and much slower
> >     than proper filesystem-level checksumming but it is what
> >     FreeBSD provides (ZFS is too unstable).
> ZFS is stable enough, but I'm a little confused: encryption is not
> "checksumming", and ZFS provides checksums but not encryption.

Also, on-disk encryption provides no additional protection against
system users. It protects the data when no keys are available (for
example when your turned off laptop is stolen) and in running system
keys are in memory and disks are decrypted, so users that are logged in
have access to decrypted content. To protect file system content from
system users one should use standard UNIX permissions and ACLs.

Pawel Jakub Dawidek             
FreeBSD committer               
Am I Evil? Yes, I Am!           
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-security mailing list