encrypted drives
Kenyon Ralph
kralph at gmail.com
Wed Mar 22 09:33:00 UTC 2006
On 3/22/06, Erik Norgaard <norgaard at locolomo.org> wrote:
> Kenyon Ralph wrote:
> > On 3/22/06, Erik Norgaard <norgaard at locolomo.org> wrote:
> >> 2) One thing is to create an entire encrypted device for /home. But that
> >> have the unfortunate consequence that other user's data is unencrypted
> >> once the system is up.
> >>
> >> What would be more appropriate is a solution where each home-dir is an
> >> encrypted mfs which is decrypted and mounted when the user log in, is
> >> this possible?
> >
> > I think this is exactly what Mac OS X does with its FileVault feature.
>
> I was just reading this column by Kelly Martin
>
> http://www.securityfocus.com/columnists/393
>
> when I wrote this, but the FreeBSD solution may not be so simple as the
> OSX. Now, the FileVault according to the article encrypts the entire
> home partition which is fine for single user laptops, but on multiuser
> systems, each home directory should be distinct encrypted partitions in
> order not to disclose data to other users.
>
> In this case, you would also like the ability to dynamically grow the
> filesystem when more space is needed, unless ofcourse you simply say,
> that's the hard quota limit.
Actually, the article says "FileVault encrypts a user's entire home
directory, settings and all data." I have a PowerBook and I used to
use FileVault on it. From my observations, it works by making an
encrypted Disk Image file of your home directory which is mounted and
unmounted at login and logoff. It is a special disk image called a
"sparse" image which can grow, but can't be shrunk while the image is
mounted. This is mostly why I stopped using FileVault--doing a lot of
I/O in my homedir caused the sparse image to gradually grow, then I'd
eventually have to logoff and let it recover all the gaps in the
image, a slow process. There is a different image for each user, so
it works in multiuser environments. OS X keeps your unix passwd and
the disk image decryption passphrase synchronized if you use the OS X
GUI to change your password.
More information about the freebsd-questions
mailing list