On Wed, 10 Oct 2007 23:09:10 +0200
Roland Smith <[EMAIL PROTECTED]> wrote:

> On Wed, Oct 10, 2007 at 02:34:16PM -0400, Steve Bertrand wrote:

> > > If you encrypted / and /usr, you might actually make the system more
> > > vulnerable to a known-plaintext attack, because there are a lot of files
> > > with well-known contents there.
> > 
> > I can get away with not having / encrypted, but I need /var encrypted
> > for databases and logs etc, /tmp so any temporary files are secured and
> > the swap file (swap very rarely gets used).
> You can even encrypt /tmp with a one-time key (see 'geli onetime').

don't forget to do the same with your swap partition :) It may be a bit slower,
but your swap would have quite a bit of interesting info if your system used it.

In my rc.conf, i have :

geli_swap_flags="-e aes -l 192 -s 4096 -d"

and /etc/fstab reads:

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ad0s1b.eli         none            swap    sw              0       0

> However using a USB device presents it's own problems. If you plug-in a
> USB stick there's no telling which device node it ends up with,
> depending on how many other USB devices are on the bus. To make device
> recognition easier, you should use a GEOM label on the USB stick, so
> you'll know which /dev/label/* device node it gets. And you'd probably
> have to hack an rc script to mount the USB stick _before_ the system
> tries to attach the GELI device(s).
> And remember that this USB stick is another thing you have to back-up
> and store in a safe place. It would be bad if you lost your data because
> your USB stick died or got lost.

hmm .... I find it much easier to have my normal partitions in clear text, and
then have big files (4 , 8 Gb) which I attach as a device node and mount as
part of my normal directory tree.[1]

Why do this? well, for a number of reason that work for me :
- my backups are VERY simple. Unmount my encrypted  disks, back up the lot. How
do you, safely and with commonly available tools, backup a fully encrypted
partition? (yes, you could mount it, backup and encrypt the backup.... but
that's doubling up too much)

- I can take any of my disks and mount it in ANY other freebsd computer with
minimal fuss ( even a freebsd VM).

- i find the whole thing about having to have the USB @ boot time a bit of a

- same goes for keeping good, safe backups of USB keys... 

- it works pretty well for specific work... eg, you want to have all your DB
data kept safely - make the postgresql script depend on your script and you
will be prompted for it on startup.

<totally paranoid>
BTW, is any work done on plausible deniability for geli? such as truecrypt's
feature : 


sudo mdconfig -d -u 11
sudo  mdconfig -a -t vnode -f ~/blah.dsk -u 11 && \
  sudo geli attach /dev/md11 && \
  echo Running fsck... && \
  sudo fsck -p -t ufs /dev/md11.eli && \
  sudo geli detach -l /dev/md11 && \
  sudo mount -o noatime /dev/md11.eli ~/blah

sudo chown betom:betom ~/blah

and, the first time, to create blah.dsk:
dd if=/dev/random of=blah.dsk bs=1024 count=50000

mdconfig -a -t vnode -f ./blah.dsk -u 13

sudo geli init -e AES -l 256 -s 4096  /dev/md13

sudo geli attach /dev/md13

sudo newfs -U /dev/md13.eli
{Beto|Norberto|Numard} Meijome

"I've dirtied my hands writing poetry, for the sake of seduction; that is, for
the sake of a useful cause." Dostoevsky

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to