On Wed, 10 Oct 2007 23:09:10 +0200 Roland Smith <[EMAIL PROTECTED]> wrote:
> On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote: > > > If you encrypted / and /usr, you might actually make the system more > > > vulnerable to a known-plaintext attack, because there are a lot of files > > > with well-known contents there. > > > > I can get away with not having / encrypted, but I need /var encrypted > > for databases and logs etc, /tmp so any temporary files are secured and > > the swap file (swap very rarely gets used). > > You can even encrypt /tmp with a one-time key (see 'geli onetime'). don't forget to do the same with your swap partition :) It may be a bit slower, but your swap would have quite a bit of interesting info if your system used it. In my rc.conf, i have : # ENCRYPTED SWAP PARTITION - OPTIONS geli_swap_flags="-e aes -l 192 -s 4096 -d" and /etc/fstab reads: # Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.eli none swap sw 0 0 [....] > However using a USB device presents it's own problems. If you plug-in a > USB stick there's no telling which device node it ends up with, > depending on how many other USB devices are on the bus. To make device > recognition easier, you should use a GEOM label on the USB stick, so > you'll know which /dev/label/* device node it gets. And you'd probably > have to hack an rc script to mount the USB stick _before_ the system > tries to attach the GELI device(s). [...] > And remember that this USB stick is another thing you have to back-up > and store in a safe place. It would be bad if you lost your data because > your USB stick died or got lost. hmm .... I find it much easier to have my normal partitions in clear text, and then have big files (4 , 8 Gb) which I attach as a device node and mount as part of my normal directory tree.[1] Why do this? well, for a number of reason that work for me : - my backups are VERY simple. Unmount my encrypted disks, back up the lot. How do you, safely and with commonly available tools, backup a fully encrypted partition? (yes, you could mount it, backup and encrypt the backup.... but that's doubling up too much) - I can take any of my disks and mount it in ANY other freebsd computer with minimal fuss ( even a freebsd VM). - i find the whole thing about having to have the USB @ boot time a bit of a pain. - same goes for keeping good, safe backups of USB keys... - it works pretty well for specific work... eg, you want to have all your DB data kept safely - make the postgresql script depend on your script and you will be prompted for it on startup. <totally paranoid> BTW, is any work done on plausible deniability for geli? such as truecrypt's feature : http://www.truecrypt.org/docs/?s=plausible-deniability </tp> thanks!! [1] --------------------- #!/bin/sh sudo mdconfig -d -u 11 sudo mdconfig -a -t vnode -f ~/blah.dsk -u 11 && \ sudo geli attach /dev/md11 && \ echo Running fsck... && \ sudo fsck -p -t ufs /dev/md11.eli && \ sudo geli detach -l /dev/md11 && \ sudo mount -o noatime /dev/md11.eli ~/blah sudo chown betom:betom ~/blah ------------------------------ and, the first time, to create blah.dsk: dd if=/dev/random of=blah.dsk bs=1024 count=50000 mdconfig -a -t vnode -f ./blah.dsk -u 13 sudo geli init -e AES -l 256 -s 4096 /dev/md13 sudo geli attach /dev/md13 sudo newfs -U /dev/md13.eli -------------------------------- _________________________ {Beto|Norberto|Numard} Meijome "I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause." Dostoevsky I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
