[PC-BSD Testing] Disk encryption

Mike Bybee mbybee at dometrilogy.com
Tue Feb 16 14:31:10 PST 2010


On Tue, Feb 16, 2010 at 2:44 PM, Kris Moore <kris at pcbsd.com> wrote:

> On 02/15/2010 03:56, finid at linuxbsdos.com wrote:
> >
> > I'm trying to get a better understanding of how disk encryption on PC-BSD
> > works. Here's what I've gleaned by playing with the installer:
> >
> > By default, the installer creates slices for /, swap, /var and /usr.
> >
> > If you switch to "custom partition ..." and edit the slices, there will
> be
> > options to encrypt each slice. When I chose to encrypt /, the
> installation
> > failed with an error message that amounted to "encryption of / is not
> > supported."
> >
> > So I tried the installation again and chose to encrypt /usr. From a real
> > security perspective, this does nothing for me. Just trying to get to
> know
> > encryption on PC-BSD. I was expecting the installer to ask for a
> > passphrase (this is how it works on Linux). But it did not. Instead it
> > generated two random keys and stored them in the /boot/keys directory.
> >
> > Now I'm thinking, if I do not know what the keys are, how useful is this
> > to me? In any case, I finished the installation and the system rebooted
> > without asking me for a key.
> >
> > Now my question. How does disk encryption work on PC-BSD? I'm hoping that
> > someone with a better understanding of how this works will jump in and
> > help me understand how it works.
> >
> > I'm assuming that encryption of / is not supported because /boot is a
> > directory under it. Wouldn't it be better to create a separate slice for
> > /boot? That way / can be encrypted.
> >
> > I hope this makes sense to somebody.
> >
> > Thanks,
> >
> > --
> > FD
>
> You are correct in your assesment. Right now the GUI isn't allowing
> encryption of "/" just yet. I've got it on my list to flesh that part of
> the installer out for 8.1, such as it automatically creating a small
> /boot partition for the kernel / keys to load when you use encryption on
> "/".
>
> As for the keys, they are simply random passwords essentially, without
> those you cannot mount / read the partition. Right now this is more
> suited to creating a new file-system, like "/private" or something, so
> that you can mount-unmount it on the fly and store private data on it.
> However when I add the new gui functionality, it'll be more suitable for
> encrypting / or /usr, and prompting for a password at bootup instead,
> which is the ultimate goal :)
>
> BTW, just for fun, lots of good info on FreeBSD encryption here:
> http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html
>
> We are using GELI for our encryption support.
>
>
> --
>
> Kris Moore
> PC-BSD Software
> http://www.pcbsd.com
> _______________________________________________
> Testing mailing list
> Testing at lists.pcbsd.org
> http://lists.pcbsd.org/mailman/listinfo/testing
>
>
It's also quite easy to re-configure GELI after install to prompt for a
password, look for the keys on a removable media, etc.


-- 
Thanks,
Mike Bybee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pcbsd.org/pipermail/testing/attachments/20100216/55a07d38/attachment.html 


More information about the Testing mailing list