geli on exisitng laptop

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Apr 8 10:27:51 PDT 2009 

new_guy wrote:
> Hi guys,
> 
> I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already
> have setup. The laptop is up and working fine and I don't want to screw it
> up. It have the default partition layout. I've already used geli to encrypt
> the swap partition. 
> 
> The default partitioning at install creates / /tmp /usr and /var. I thought
> I would start with /tmp as I should be able to fix that if I mess up. 
> 
> Some questions...
> 
> 1. Will each partition have to be mounted with a password?
> 2. What's the most straight-forward way to go about this without screwing
> up?
> 
> I already have the eli module loaded in the /boot/loader.conf so I won't
> need to re-compile, etc.
> 

To convert a partition to geli requires you to wipe out all the contents,
scribble over the partition with random data to get rid of any remnants of
the unencrypted content, set up the encryption keys and then rebuild the file
system and recover the data from backup.

Yes, you will need to supply some sort of secret value to retrieve the 
encrypted disk contents.  This is usually configured to mean typing in a
passphrase at the time the partition is mounted, although it is also possible
to store crypto keys on a removable medium such as  USB key -- you don't 
necessarily have to use a pass phrase in that case, although it's a good idea
for the most effective security.  Once the partition is mounted, you should be
able to take the key out and put it in a safe place and still keep running.

Depending on your requirements you can encrypt the whole drive -- which while
highly secure requires you to have crypto keys etc. on a removable medium and
is a little tricky to get working properly -- or you can create a small
unencrypted partition which should contain the kernel and necessary crypto bits
(ie. the contents of /boot at a minimum) and then encrypt things partition by partition.  You will have to type in a pass phrase to mount each different
encrypted partition -- to prevent this becoming too onerous, consider using a
'one big partition' layout.

Also note that you should encrypt the swap partition, or someone coming into
possession of the laptop may be trivially able to recover secret data from it:
this is pretty automated and can be achieved by simply editing /etc/fstab to
change the mount device to eg. /dev/ad0s1b.eli and rebooting -- an ephemeral
key is used, so no typing passphrases is required in this instance.  Setting up
a swap-backed tmpmfs will then then give you an encrypted /tmp too.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090408/b99dd0cd/signature.pgp

More information about the freebsd-questions mailing list