Re: GEOM/GELI Boot Disk Encryption
On Jun 7, 2007, at 9:54 AMJun 7, 2007, cpghost wrote: On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in addition to /home. Most userland programs can leak sensitive date there that you'd rather have encrypted too. Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, /var/db/mysql, mail spool directories and some such), and maybe /var/log as well. Encrypting the complete /var filesystem is easier though... Some ports also use /usr/local/www to store user-specific data, but what's the point of encrypting this? ;-) Regards, -cpghost. So, back to encrypting my entire disk, I just need to put the boot partition on its own slice? There's all the bits available to start up the decryption stuff after that loads, so I can make my entire system, swap and all, encrypted, right? Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GEOM/GELI Boot Disk Encryption
On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote: > On Wed, Jun 06, 2007 at 07:28:48AM -0500, Eric F Crist wrote: > > I'm trying to take a system that already has a running freebsd system (or I > > can start over), and make the entire system encrypted. I've found > > instructions (freebsd manual) for creating secondary disks, but not the > > boot > > disk in particular. > > > > Can anyone point me in the right direction? > > Personally, I wouldn't bother encrypting anything but your own data, > i.e. /home. And for backup purposes it's better to make a seperate slice > for that anyway. You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp, and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in addition to /home. Most userland programs can leak sensitive date there that you'd rather have encrypted too. Add to this: stuff like /var/db (esp. useful for /var/db/pgsql, /var/db/mysql, mail spool directories and some such), and maybe /var/log as well. Encrypting the complete /var filesystem is easier though... Some ports also use /usr/local/www to store user-specific data, but what's the point of encrypting this? ;-) > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GEOM/GELI Boot Disk Encryption
On Wed, Jun 06, 2007 at 08:27:09PM -0400, Bob wrote: > What is this virtual machine created with qemu you talk about? http://fabrice.bellard.free.fr/qemu/ especially http://fabrice.bellard.free.fr/qemu/about.html It is a program that emulates a computer. Using a file as a disk image it can run an operating system and software on a virtual PC. It's very handy if you want to experiment with other OS's without dual booting. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpSPXI0CmlLR.pgp Description: PGP signature
RE: GEOM/GELI Boot Disk Encryption
What is this virtual machine created with qemu you talk about? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roland Smith Sent: Wednesday, June 06, 2007 1:01 PM To: Eric F Crist Cc: freebsd-questions@freebsd.org Subject: Re: GEOM/GELI Boot Disk Encryption On Wed, Jun 06, 2007 at 07:28:48AM -0500, Eric F Crist wrote: > Hey folks, > > I'm trying to take a system that already has a running freebsd system (or I > can start over), and make the entire system encrypted. I've found > instructions (freebsd manual) for creating secondary disks, but not the boot > disk in particular. > > Can anyone point me in the right direction? The /boot directory must not be encrypted, so you need to put that on a separate slice. As for the rest, maybe the following thread will help you; http://lists.freebsd.org/pipermail/freebsd-geom/2006-July/001401.html The thing is that sysinstall doesn't support creating encrypted disks, so during install, you'd have to initialize and mount the encrypted slices manually, and then resume sysinstall. Personally, I wouldn't bother encrypting anything but your own data, i.e. /home. And for backup purposes it's better to make a seperate slice for that anyway. Disk encryption is only usefull when your disk is stolen; as long as the disk is mounted, the data is readable (if permissions allow) anyway. If your /home is already a separate slice, back up your data, unmount /home and encrypt it according to geli(8). Mount your encrypted drive and restore your backup. A good idea might be to create a virtual machine with e.g. qemu, and practice on that before you screw up anything important. :-) Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: GEOM/GELI Boot Disk Encryption
On Wed, Jun 06, 2007 at 07:28:48AM -0500, Eric F Crist wrote: > Hey folks, > > I'm trying to take a system that already has a running freebsd system (or I > can start over), and make the entire system encrypted. I've found > instructions (freebsd manual) for creating secondary disks, but not the boot > disk in particular. > > Can anyone point me in the right direction? The /boot directory must not be encrypted, so you need to put that on a separate slice. As for the rest, maybe the following thread will help you; http://lists.freebsd.org/pipermail/freebsd-geom/2006-July/001401.html The thing is that sysinstall doesn't support creating encrypted disks, so during install, you'd have to initialize and mount the encrypted slices manually, and then resume sysinstall. Personally, I wouldn't bother encrypting anything but your own data, i.e. /home. And for backup purposes it's better to make a seperate slice for that anyway. Disk encryption is only usefull when your disk is stolen; as long as the disk is mounted, the data is readable (if permissions allow) anyway. If your /home is already a separate slice, back up your data, unmount /home and encrypt it according to geli(8). Mount your encrypted drive and restore your backup. A good idea might be to create a virtual machine with e.g. qemu, and practice on that before you screw up anything important. :-) Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgptLRn8K4Q7P.pgp Description: PGP signature
GEOM/GELI Boot Disk Encryption
Hey folks, I'm trying to take a system that already has a running freebsd system (or I can start over), and make the entire system encrypted. I've found instructions (freebsd manual) for creating secondary disks, but not the boot disk in particular. Can anyone point me in the right direction? TIA Eric F Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
