Root boot/mount Password?

Roland Smith rsmith at xs4all.nl
Sun Jul 27 10:12:19 UTC 2008 

On Sun, Jul 27, 2008 at 09:47:44AM -0000, DSA - JCR wrote:
> On Sat, Jul 26, 2008 at 05:31:23PM -0000, DSA - JCR wrote:
> >> Hi all
> >>
> >> FreeBSD 6.2
> >>
> >> I would like to put a password when booting/mounting mi Freebsd box. is
> >> it possible? How?
> >
> >Yes. Use geli(8) encryption.
> >
> >> is for protecting the system from unauthorized users
> >
> >Disk encryption also protects your data if the PC or harddrive is stolen.
> >Roland
> >
> 
> Yes, I had thinking of Geli, but my system is up and running and I don't
> know if I can use geli for this without breaking all
> I have used geli for unused disks and for swap but not for root, because i
> dont know if I will break all....
> 
> can I use it for root, when it is a live system?

You can encrypt the root filesystem, but in that case /boot must be on a
separate unencrypted partition, otherwise the OS cannot boot. So unless
you have a spare partition for /boot, you'll have to make backups and
re-partition your disk.

Note that encrypting the partitions where the OS lives is not
particularly usefull; there is nothing secret there. On the contrary, it
would potentially make the encrypted partition vulnerable to a known
plaintext attack.

So what I would recommend it to put all _your_ data (which you want to
protect from unauthorized access) on one partition (in case of a
desktop, I'd use /home), and encrypt that. To do this you should back up
all your data. Then you fill the partition with random noise using 'dd
if=/dev/random'. This can take some time depending on the size of the
partition. As soon as that is done you can use 'geli init' to initialize
a geli-encrypted device, and 'geli attach' to make a device node. Then
you can use newfs on the new device, mount it and restore your
backup. Now edit /etc/fstab to refer to the geli device. On the next
boot, the rc scripts will ask for the password and take care of the
mounting of the device.

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080727/2f688df4/attachment.pgp

More information about the freebsd-questions mailing list