On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote:
> Hi guys,
> I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already
> have setup. The laptop is up and working fine and I don't want to screw it
> up. It have the default partition layout. I've already used geli to encrypt
> the swap partition. 
> The default partitioning at install creates / /tmp /usr and /var. I thought
> I would start with /tmp as I should be able to fix that if I mess up. 
> Some questions...
> 1. Will each partition have to be mounted with a password?

You can use a password, a file containing a key or both. See
geli(8). The security of an encrypted partition relying solely on a key
from another partition is qeustionable at least.

> 2. What's the most straight-forward way to go about this without screwing
> up?

You cannot encrypt the whole disk. You'll need an unencrypted /boot
partition to read the kernel from, and unencrypted boot sector.

Furthermore, you cannot encrypt a partition in place. You'll have to
move the data somewhere else, unmount the partition, encrypt it, newfs
it, attach and mount the encrypted partition and restore the data

Personally, I think there is little value or security in encrypting /
and /usr. There is really nothing secret there. One could even argue
that the well-known content of / might /usr might facilitate known
plaintext attacks! The only possible reason is to inconvenience a thief,
but one might argue that putting anything but windows on it accomplishes
that quite nicely. :-)

And if your laptop is not a powerhouse, using encryption is going to eat
CPU cycles.

My advice would be to put /home (where _your_ data resides) on a
seperate partition and encrypt only that partition, with a password.

R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

Attachment: pgpQex37aCU1L.pgp
Description: PGP signature

Reply via email to