Booting a GELI encrypted hard disk
rsmith at xs4all.nl
Wed Oct 10 10:54:00 PDT 2007
On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote:
> Hi all,
> I am voraciously attempting to get a FreeBSD system to boot from a GELI
> encrypted hard disk, but am having problems.
You don't need to encrypt the whole harddisk. You can encrypt separate
slices. There is no need to encrypt stuff like / or /usr; what is there
that needs to be kept secret?
> All of my searches lead to the same problem...GELI passphrase can not be
> entered correctly upon boot. I have tried everything I have found on the
> web (including disabling 'kbdmux' in the kernel) to no avail.
With a normal AT keyboard I can enter the passphrase without problems,
for a non-root partition.
> Does anyone have a suggestion for a workaround?
Put all the data that really needs to be encrypted on a separate slice,
and encrypt that. Leave the rest unencrypted, especially /boot. As a
rule of thumb; don't bother encrypting anything that you can just
download from the internet. :-)
Here's how it looks on my machine;
Filesystem Size Used Avail Capacity Mounted on
/dev/ar0s1a 496M 126M 330M 28% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/ar0s1g.eli 120G 82G 28G 75% /home
/dev/ar0s1e 496M 16K 456M 0% /tmp
/dev/ar0s1f 19G 4.7G 13G 26% /usr
/dev/ar0s1d 1.9G 152M 1.6G 8% /var
As you can see only /home is encrypted because the rest doesn't hold
data worth encrypting.
If you encrypted / and /usr, you might actually make the system more
vulnerable to a known-plaintext attack, because there are a lot of files
with well-known contents there.
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071010/f90b74ab/attachment.pgp
More information about the freebsd-questions