Booting a GELI encrypted hard disk
Roland Smith
rsmith at xs4all.nl
Wed Oct 10 14:17:05 PDT 2007
On Wed, Oct 10, 2007 at 08:18:38PM +0200, Fabian Keil wrote:
> Roland Smith <rsmith at xs4all.nl> wrote:
>
> > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote:
>
> > > I am voraciously attempting to get a FreeBSD system to boot from a GELI
> > > encrypted hard disk, but am having problems.
> >
> > You don't need to encrypt the whole harddisk. You can encrypt separate
> > slices. There is no need to encrypt stuff like / or /usr; what is there
> > that needs to be kept secret?
>
> Encryption isn't only useful for private data,
> it also reduces the risk of third parties replacing
> your binaries with Trojans while your away.
If that someone can replace binaries on a running system, you're box has
been h4x0red and you're screwed anyway. Doubly so if your encrypted
filesystem was mounted at the time. :-)
Disk encryption is mostly a defense against data-loss in case of the
machine or disk being stolen.
It's easy enough to make a list of SHA256 checksums of all binaries and
store that on the encrypted partition, so you can check the binaries any
time you want.
Roland
--
R.F.Smith http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071010/9bbcd2d9/attachment.pgp
More information about the freebsd-questions
mailing list