On Wed, Apr 08, 2009 at 07:06:27AM -0700, new_guy wrote: > > Hi guys, > > I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already > have setup. The laptop is up and working fine and I don't want to screw it > up. It have the default partition layout. I've already used geli to encrypt > the swap partition. > > The default partitioning at install creates / /tmp /usr and /var. I thought > I would start with /tmp as I should be able to fix that if I mess up. > > Some questions... > > 1. Will each partition have to be mounted with a password?
You can use a password, a file containing a key or both. See geli(8). The security of an encrypted partition relying solely on a key from another partition is qeustionable at least. > 2. What's the most straight-forward way to go about this without screwing > up? You cannot encrypt the whole disk. You'll need an unencrypted /boot partition to read the kernel from, and unencrypted boot sector. Furthermore, you cannot encrypt a partition in place. You'll have to move the data somewhere else, unmount the partition, encrypt it, newfs it, attach and mount the encrypted partition and restore the data Personally, I think there is little value or security in encrypting / and /usr. There is really nothing secret there. One could even argue that the well-known content of / might /usr might facilitate known plaintext attacks! The only possible reason is to inconvenience a thief, but one might argue that putting anything but windows on it accomplishes that quite nicely. :-) And if your laptop is not a powerhouse, using encryption is going to eat CPU cycles. My advice would be to put /home (where _your_ data resides) on a seperate partition and encrypt only that partition, with a password. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
Description: PGP signature