geli remote password entering
Xin Li
delphij at delphij.net
Fri Aug 24 18:37:51 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/24/12 04:16, brouci tykadylko wrote:
> Thinking about encrypting everything except /boot by geli(+zfs).
> Since server is remote, there is a problem with entering the key
> after restart. There is a possibility of KVM at datacenter, but I
> don't want to bother with it upon every reboot, and not speaking
> about possibility of remote interception. My idea so far is to use
> RAMdisk image with bare ssh like DropBear (like here:
> http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still didn't
> try. Dream solution is a bootloader with a ssh interface, but I
> didn't hear about any for fBSD. Did any of you try something
> similar? Or do you have any other idea?
I have posted something with similar idea here:
http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
But this is different -- you can't have only /boot unencrypted because
it requires / and /usr be available at very early boot time.
Personally I'm not quite concerned with / unencrypted -- you could
reveal /etc/master.passwd in the worst case but sensitive data can be
stored in encrypted partitions.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJQN8n+AAoJEG80Jeu8UPuztuUIAMMw3uQokMU59hEopWgqMnk/
BOJUT5XstwmGJ+FRcvgG3gcVGMzyC9qhCqeSIGGGP88k1riZjKmmmgLJ2k/YjtNt
SlEojdj8py7r/ZzvpHK8HykA33V+F7LSxubtH+xZaWLcXyRXSOCsvVY+Xu/7jDPu
0oRYR2uAPnEqYoqPDVm7DZovL8T2HAf3cEDy1ZbaWl5tlkFejhgoCO9s2FY87ktU
/K2TlZM7ksTndzCYJLW5BIan2On25IUW9QQyL61kRGsSbn10JzWI96wDO6xpwkra
GDgnvXVQ2GqSviy1iSF3JJfMG43PnRQ20Eg2XikXmtCzTSx+MSSeVt282RuFyi4=
=ENh1
-----END PGP SIGNATURE-----
More information about the freebsd-geom
mailing list