-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/24/12 04:16, brouci tykadylko wrote: > Thinking about encrypting everything except /boot by geli(+zfs). > Since server is remote, there is a problem with entering the key > after restart. There is a possibility of KVM at datacenter, but I > don't want to bother with it upon every reboot, and not speaking > about possibility of remote interception. My idea so far is to use > RAMdisk image with bare ssh like DropBear (like here: > http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still didn't > try. Dream solution is a bootloader with a ssh interface, but I > didn't hear about any for fBSD. Did any of you try something > similar? Or do you have any other idea?
I have posted something with similar idea here: http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html But this is different -- you can't have only /boot unencrypted because it requires / and /usr be available at very early boot time. Personally I'm not quite concerned with / unencrypted -- you could reveal /etc/master.passwd in the worst case but sensitive data can be stored in encrypted partitions. Cheers, - -- Xin LI <[email protected]> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQN8n+AAoJEG80Jeu8UPuztuUIAMMw3uQokMU59hEopWgqMnk/ BOJUT5XstwmGJ+FRcvgG3gcVGMzyC9qhCqeSIGGGP88k1riZjKmmmgLJ2k/YjtNt SlEojdj8py7r/ZzvpHK8HykA33V+F7LSxubtH+xZaWLcXyRXSOCsvVY+Xu/7jDPu 0oRYR2uAPnEqYoqPDVm7DZovL8T2HAf3cEDy1ZbaWl5tlkFejhgoCO9s2FY87ktU /K2TlZM7ksTndzCYJLW5BIan2On25IUW9QQyL61kRGsSbn10JzWI96wDO6xpwkra GDgnvXVQ2GqSviy1iSF3JJfMG43PnRQ20Eg2XikXmtCzTSx+MSSeVt282RuFyi4= =ENh1 -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "[email protected]"
