On Wed, Oct 10, 2007 at 08:18:38PM +0200, Fabian Keil wrote: > Roland Smith <[EMAIL PROTECTED]> wrote: > > > On Wed, Oct 10, 2007 at 09:04:34AM -0400, Steve Bertrand wrote: > > > > I am voraciously attempting to get a FreeBSD system to boot from a GELI > > > encrypted hard disk, but am having problems. > > > > You don't need to encrypt the whole harddisk. You can encrypt separate > > slices. There is no need to encrypt stuff like / or /usr; what is there > > that needs to be kept secret? > > Encryption isn't only useful for private data, > it also reduces the risk of third parties replacing > your binaries with Trojans while your away.
If that someone can replace binaries on a running system, you're box has been h4x0red and you're screwed anyway. Doubly so if your encrypted filesystem was mounted at the time. :-) Disk encryption is mostly a defense against data-loss in case of the machine or disk being stolen. It's easy enough to make a list of SHA256 checksums of all binaries and store that on the encrypted partition, so you can check the binaries any time you want. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
Description: PGP signature