GELI - disk encryption GEOM class committed.
Eric Anderson
anderson at centtech.com
Fri Jul 29 13:37:42 GMT 2005
Pawel Jakub Dawidek wrote:
> On Fri, Jul 29, 2005 at 08:28:30AM -0500, Eric Anderson wrote:
> +> Niki Denev wrote:
> +> >Pawel Jakub Dawidek wrote:
> +> > > +> Booting from Encrypted Root:
> +> >
> +> >>+> GELI - Works. How'd one load the kernel from an encrypted root
> +> >>though?
> +> >>
> +> >>Kernel has to be loaded from a USB Pen-Drive or a CD-ROM.
> +> >>You need to put /boot/ directory in there. GELI will ask for the
> +> >>passphrase
> +> >>before root file system is mounted. After that you can remove
> +> >>Pen-Drive/CD-ROM.
> +> >>
> +> >
> +> >Wouldn't it work if /boot is small separate unencrypted partition?
> +> >( Well, there is the possibility that someone replaces your kernel
> +> >with one with keylogger to catch your password next time you type it :))
> +> >I use this method for bootable RAID1+0 with GEOM's stripe and mirror,
> +> >and it seems to work great.
> +>
> +> Maybe you could write up a quick howto on your setup, and post it/submit
> +> it to the doc@ team.
>
> I'd prefer not to, as if you keep your kernel and modules decrypted, there
> is no point to encrypt root file system.
Hmm - is that really true? How can one decrypt the root partition data
without the key, but with the kernel and modules? It seems that if that
is a problem, than encrypting any partition without the kernel/modules
encrypted would be the same scenario.
I think there still is benefit in encrypting the root, but not /boot.
Eric
--
------------------------------------------------------------------------
Eric Anderson Sr. Systems Administrator Centaur Technology
Anything that works is better than anything that doesn't.
------------------------------------------------------------------------
More information about the freebsd-current
mailing list