Hard drive encryption

Svein Halvor Halvorsen svein-freebsd-questions at theloosingend.net
Fri Sep 17 14:53:08 PDT 2004

[Jim.Kinsey at nokia.com, 2004-09-16]
>  I understand that gbde requests a password before the partition can be
>  mounted anyway so this simulates the same functionality of PointSEC,
>  but since it is part of the OS, it seems that if someone has access to
>  the OS, they could still get in.  Is that right?

See gbde(4) http://www.freebsd.org/cgi/man.cgi?query=gbde&sektion=4

	The objective of this facility is to provide a high degree of
	denial of access to the contents of a ``cold'' storage device.

	Be aware that if the computer is compromised while up and running
	and the storage device is actively attached and opened with a
	valid pass-phrase, this facility offers no protection or denial of
	access to the contents of the storage device.

	If, on the other hand, the device is ``cold'', it should present
	an formidable challenge for an attacker to gain access to the
	contents in the absence of a valid pass-phrase.

	Four cryptographic barriers must be passed to gain access to the
	data, and only a valid pass-phrase will yield this access.

A "cold" device should be understood as a hard drive (or other geom-
device) that is not powered on, or that has not yet been opened by a valid
pass-phrase. For more info on the four barriers, read the rest of the
manual page. GBDE should not be any less secure just because the OS has
builtin support for it.

More information about the freebsd-questions mailing list