[PC-BSD Testing] Disk encryption issues and ... on 8.2 RC 1

Mike Bybee mbybee at dometrilogy.com
Fri Jan 14 07:27:44 PST 2011


On Thu, Jan 13, 2011 at 5:20 PM, LinuxBSDos.com <finid at linuxbsdos.com> wrote:
>> On Thu, Jan 13, 2011 at 4:16 PM, LinuxBSDos.com <finid at linuxbsdos.com>
>> wrote:
>>>
>>> Here are few observations about disk encryption and the default
>>> partitioning scheme:
>>
>>>
>>> 3. The system gives 3 chances to supply the correct encryption
>>> passphrase
>>> during system boot. I found that if the third and last attempt is
>>> unsuccessful, the system will drop into a console. You may view a
>>> screenshot of it at http://linuxbsdos.com/forum/thread-85.html
>>>
>>> What purpose does this serve? Is it really a good idea to give any kind
>>> of
>>> access if a user is unable to supply the correct passphrase?
>>
>>> --
>>> Fini Decima
>>> http://LinuxBSDos.com
>>>
>>
>> I'm not sure I understand the point of the question - would you
>> propose the system simply be stuck in a boot loop?
>> BIOS passwords operate more the way you're proposing, I guess.
>>
>>
> Well, I thought the whole point of encrypting the disk is to deny any
> access unless the correct passphrase is supplied. It is assumed that if
> the person trying to boot into the system cannot supply the correct
> passphrase, then they are either not authorized to boot the system, or
> they just forgot the passphrase.
>
> In cases where the rightful owner of the box forgot the passphrase, then
> there should be a way that would allow for a backup passphrase tp be
> configured (is that the role the system-generated key is supposed to
> play?).
>
> --
>> Thanks,
>> Mike Bybee
>
> --
> Finid Decima
> http://LinuxBSDos.com
>
>

Unless I'm mistaken, I believe the point of disk encryption is to deny
access to the data. For example, I typically only encrypt data volumes
and swap, since there is less point in encrypting executables -
especially since they should be mounted ro.

The method you're seeing *is* the method for the rightful owner to
recover their data.


-- 
Thanks,
Mike Bybee


More information about the Testing mailing list