[PC-BSD Testing] Disk encryption

finid at linuxbsdos.com finid at linuxbsdos.com
Mon Feb 15 00:56:11 PST 2010


I'm trying to get a better understanding of how disk encryption on PC-BSD
works. Here's what I've gleaned by playing with the installer:

By default, the installer creates slices for /, swap, /var and /usr.

If you switch to "custom partition ..." and edit the slices, there will be
options to encrypt each slice. When I chose to encrypt /, the installation
failed with an error message that amounted to "encryption of / is not
supported."

So I tried the installation again and chose to encrypt /usr. From a real
security perspective, this does nothing for me. Just trying to get to know
encryption on PC-BSD. I was expecting the installer to ask for a
passphrase (this is how it works on Linux). But it did not. Instead it
generated two random keys and stored them in the /boot/keys directory.

Now I'm thinking, if I do not know what the keys are, how useful is this
to me? In any case, I finished the installation and the system rebooted
without asking me for a key.

Now my question. How does disk encryption work on PC-BSD? I'm hoping that
someone with a better understanding of how this works will jump in and
help me understand how it works.

I'm assuming that encryption of / is not supported because /boot is a
directory under it. Wouldn't it be better to create a separate slice for
/boot? That way / can be encrypted.

I hope this makes sense to somebody.

Thanks,

--
FD





More information about the Testing mailing list