Booting encrypted
Steve Watt
steve at Watt.COM
Tue Sep 7 14:15:10 PDT 2004
On Sep 7, 13:54, ctodd at chrismiller.com wrote:
} Subject: Re: Booting encrypted
}
} > Having the password compiled in to something that's necessarily clear-text
} > on the same media?
}
} If the authorization mechanism is limited to plain text, then yes. I know
} that "strings" can be used to attempt to find the passphrase in the load,
} but there may be ways to prevent the passphrase from being retrieved in
} this manner.
It can be a 256-bit AES key for all I care -- it simply must be the key
necessary to decrypt the remaining contents of the filesystem available
in a way that it can be fed to the crypto algorithm and get plain-text
of the filesystem out. And the key must be in plain-text, because you
don't have any keys available to decrypt the key...
} > You're not adding anything resembling a challenge for someone who's really
} > interested in reverse-engineering your system. Any user (I won't call such
} > a person *acker) incapable of getting around such a thing probably won't
} > be trying to reverse-engineer it anyhow.
}
} Well the point is to have a system where the entire filesystem (except the
} loader of coarse) is encrypted. Runtime access to the system via the shell
} would be removed or locked down.
}
} I wasn't able to find any info about booting encrypted filesystems, but I
} can't believe I'm the only one that has raised the question.
Because it doesn't contribute any security to the system to have the
bootable partition encrypted, or else you wind up requiring a password
to boot (not necessarily a bad thing, but probably not appropriate
for your application).
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
Internet: steve @ Watt.COM Whois: SW32
Free time? There's no such thing. It just comes in varying prices...
More information about the freebsd-hackers
mailing list