[PC-BSD Testing] Disk encryption

finid at linuxbsdos.com finid at linuxbsdos.com
Tue Feb 16 14:41:56 PST 2010


> On Tue, Feb 16, 2010 at 2:44 PM, Kris Moore <kris at pcbsd.com> wrote:
>
>> On 02/15/2010 03:56, finid at linuxbsdos.com wrote:
>> >
>> > I'm trying to get a better understanding of how disk encryption on
>> PC-BSD
>> > works. Here's what I've gleaned by playing with the installer:
>> >
>> > By default, the installer creates slices for /, swap, /var and /usr.
>> >
>> > If you switch to "custom partition ..." and edit the slices, there
>> will
>> be
>> > options to encrypt each slice. When I chose to encrypt /, the
>> installation
>> > failed with an error message that amounted to "encryption of / is not
>> > supported."
>> >
>> > So I tried the installation again and chose to encrypt /usr. From a
>> real
>> > security perspective, this does nothing for me. Just trying to get to
>> know
>> > encryption on PC-BSD. I was expecting the installer to ask for a
>> > passphrase (this is how it works on Linux). But it did not. Instead it
>> > generated two random keys and stored them in the /boot/keys directory.
>> >
>> > Now I'm thinking, if I do not know what the keys are, how useful is
>> this
>> > to me? In any case, I finished the installation and the system
>> rebooted
>> > without asking me for a key.
>> >
>> > Now my question. How does disk encryption work on PC-BSD? I'm hoping
>> that
>> > someone with a better understanding of how this works will jump in and
>> > help me understand how it works.
>> >
>> > I'm assuming that encryption of / is not supported because /boot is a
>> > directory under it. Wouldn't it be better to create a separate slice
>> for
>> > /boot? That way / can be encrypted.
>> >
>> > I hope this makes sense to somebody.
>> >
>> > Thanks,
>> >
>> > --
>> > FD
>>
>> You are correct in your assesment. Right now the GUI isn't allowing
>> encryption of "/" just yet. I've got it on my list to flesh that part of
>> the installer out for 8.1, such as it automatically creating a small
>> /boot partition for the kernel / keys to load when you use encryption on
>> "/".
>>
>> As for the keys, they are simply random passwords essentially, without
>> those you cannot mount / read the partition. Right now this is more
>> suited to creating a new file-system, like "/private" or something, so
>> that you can mount-unmount it on the fly and store private data on it.
>> However when I add the new gui functionality, it'll be more suitable for
>> encrypting / or /usr, and prompting for a password at bootup instead,
>> which is the ultimate goal :)
>>
>> BTW, just for fun, lots of good info on FreeBSD encryption here:
>> http://www.freebsd.org/doc/en/books/handbook/disks-encrypting.html
>>
>> We are using GELI for our encryption support.
>>
>>
>>
> It's also quite easy to re-configure GELI after install to prompt for a
> password, look for the keys on a removable media, etc.
>
>

I'm absolutely certain that it is "quite easy" for any one of us on this
list to re-configure anything to do what we need it to do, but these
things should not be viewed from our own perspective, but from that of the
average Joe/Jane User.

It's always better to put on the shades of a noob when looking at these
systems.

--
Fini Decima



More information about the Testing mailing list