Re[2]: GELI - FreeBSD Full Disk Encryption
- From: Network Security <SecurityAdmin@xxxxxxxx>
- Date: Wed, 6 Sep 2006 15:22:36 -0700
GELI even properly installed has some security problems, so I've
linked to a FreeBSD Full Disk Encryption Howto video.. Maybe it will
save somebody from loosing their entire file system.
It's about an hour long and covers GELI and GBDE and can be viewed
(Courtesy of Google Video) here:
http://www.zuit.net/freebsd-disk-encryption-video.html
-Brian
Brian J. Brandon
Network Security Consultant
Los Angeles, California
SecurityAdmin@xxxxxxxx
Tel. No. 866.395.1039
Wednesday, September 6, 2006, 2:28:20 PM, you wrote:
You are a complete madman. You want to protect your data with a key stored
on the most completely and utterly unreliable form of data storage still
lamentably in use? Its not the 1970's anymore, get a real data storage
medium!
Get a usb flash drive, from there its a simple matter of changing the geli
script to mount a specific usb device before starting. Look in
/etc/rc.d/geli and geli2. I'd put your mounting and checks between the
kldstat and the "if [ -z" in the geli_start() sub.
You'll want to then use "geli -K" to input your key material, so you'll
want to make sure your device is present, and that it has the expected key
filename on it. You could also use dd and dump the first n sectors to
stdout and pipe that into your geli command.
Seems like quite a waste if you don't intend to use a passphrase.
On Wed, 6 Sep 2006, Frank Steinborn wrote:
Hello,_______________________________________________
i want to encrypt my HDD's with GELI (not the root-fs, though). I want
to do the encryption without password, just with a key. The key should
be stored in a floppy disk, and the read should be read automatically
on boot, from the floppy.
There is a problem here, because GELI initializes _before_ mounting
the disks from /etc/fstab (for obvious reasons, of course). So GELI is
not able to get the keys from the floppy and fails.
So, any hints how I could get the floppy mounted _before_ GELI tries
to initialize?
Thanks in advance,
Frank
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: GELI - FreeBSD Full Disk Encryption
- From: Pawel Jakub Dawidek
- Re: GELI - FreeBSD Full Disk Encryption
- References:
- Getting GELI Keys from Floppy
- From: Frank Steinborn
- Re: Getting GELI Keys from Floppy
- From: Barkley Vowk
- Getting GELI Keys from Floppy
- Prev by Date: FreeBSD Security Advisory FreeBSD-SA-06:20.bind
- Next by Date: FreeBSD Update [was: Re: FreeBSD Security Advisory FreeBSD-SA-06:19.openssl]
- Previous by thread: Re: Getting GELI Keys from Floppy
- Next by thread: Re: GELI - FreeBSD Full Disk Encryption
- Index(es):
Relevant Pages
|
|
