Full disk encryption without root partition
RW
rwmaillists at googlemail.com
Sat Dec 29 23:26:05 UTC 2012
On Sat, 29 Dec 2012 22:43:29 +0100
Martin Laabs wrote:
> Hi,
>
> >> Are there any plans or is there already support for full
> >> disk encryption without the need for a boot partition?
>
> Well - what would be your benefit? OK - you might not create another
> partition but I think this is not the problem.
> From the point of security you would not get any improvement because
> some
> type of software has to be unencrypted. And this software could be
> manipulated to do things like e.g. send the encryption key to
> <attacker>. So from this point of view there is no difference whether
> the kernel is unencrypted or any other type of software (that runs
> before the kernel) is unencrypted.
And the advantage of putting the boot partition on a memory stick is
that it's much easier to keep such a device physically secure.
Bootstrapping code on the main hard drive is easier to attack. IIRC
someone demonstrated such an attack against one of the commercial
encryption packages.
More information about the freebsd-questions
mailing list