Booting a GELI encrypted hard disk

Steve Bertrand iaccounts at
Wed Oct 10 11:34:03 PDT 2007

> Put all the data that really needs to be encrypted on a separate slice,
> and encrypt that. Leave the rest unencrypted, especially /boot. As a
> rule of thumb; don't bother encrypting anything that you can just
> download from the internet. :-)

Fair enough, this makes sense. Thank you.

> As you can see only /home is encrypted because the rest doesn't hold
> data worth encrypting.

Well, on mine it will.

> If you encrypted / and /usr, you might actually make the system more
> vulnerable to a known-plaintext attack, because there are a lot of files
> with well-known contents there.

I can get away with not having / encrypted, but I need /var encrypted
for databases and logs etc, /tmp so any temporary files are secured and
the swap file (swap very rarely gets used).

So, I will test it as you suggested, however, would it be possible to
still house my key on a removable USB stick, and after the slices are
mounted into the file system successfully to then unmount and remove the
USB drive and have the box remain in operation, or does the key need to
be accessed throughout all disk reads/writes?

Essentially, I'd like it so that if the box reboots while I am gone, or
if I want to reboot it remotely there is theoretically no way for
someone at the console to re-mount the encrypted slices?

Thank you for all of this info!


More information about the freebsd-questions mailing list