>>> As you can see only /home is encrypted because the rest doesn't hold >>> data worth encrypting. >> Well, on mine it will. > > I was talking about my system. Yours will of course be different. :-)
I know. I was not trying to be sarcastic in any way. Sorry if it seemed that way :) > You can even encrypt /tmp with a one-time key (see 'geli onetime'). I will likely do this with /tmp and swap. > Also have a look at the geli_* variables in /etc/defaults/rc.conf. Will do. > It only needs to be present during creation of the GELI devices (geli > attach). The rc scripts know they have to load GELI and attach the > devices if they see an .eli device in /etc/fstab. Geli will ask for the > passphrase(s) during boot-up if you're using them. You can specify which > key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf > > However using a USB device presents it's own problems. If you plug-in a > USB stick there's no telling which device node it ends up with, > depending on how many other USB devices are on the bus. To make device > recognition easier, you should use a GEOM label on the USB stick, so > you'll know which /dev/label/* device node it gets. And you'd probably > have to hack an rc script to mount the USB stick _before_ the system > tries to attach the GELI device(s). Getting around these issues is trivial. The only requirement is that my thumbdrive comes with me after the machine is reloaded. > And remember that this USB stick is another thing you have to back-up > and store in a safe place. It would be bad if you lost your data because > your USB stick died or got lost. Understood. This has been considered, and it's exactly what I do with my TrueCrypt encrypted information on my Windows workstation. Steve _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"