new_guy wrote:
Hi guys,I'd like to use geli to whole disk encrypt a FreeBSD 7.1 laptop I already have setup. The laptop is up and working fine and I don't want to screw it up. It have the default partition layout. I've already used geli to encryptthe swap partition.The default partitioning at install creates / /tmp /usr and /var. I thoughtI would start with /tmp as I should be able to fix that if I mess up.Some questions... 1. Will each partition have to be mounted with a password? 2. What's the most straight-forward way to go about this without screwing up? I already have the eli module loaded in the /boot/loader.conf so I won't need to re-compile, etc.
To convert a partition to geli requires you to wipe out all the contents, scribble over the partition with random data to get rid of any remnants of the unencrypted content, set up the encryption keys and then rebuild the file system and recover the data from backup.Yes, you will need to supply some sort of secret value to retrieve the encrypted disk contents. This is usually configured to mean typing in a
passphrase at the time the partition is mounted, although it is also possibleto store crypto keys on a removable medium such as USB key -- you don't necessarily have to use a pass phrase in that case, although it's a good idea
for the most effective security. Once the partition is mounted, you should be
able to take the key out and put it in a safe place and still keep running.
Depending on your requirements you can encrypt the whole drive -- which while
highly secure requires you to have crypto keys etc. on a removable medium and
is a little tricky to get working properly -- or you can create a small
unencrypted partition which should contain the kernel and necessary crypto bits
(ie. the contents of /boot at a minimum) and then encrypt things partition by
partition. You will have to type in a pass phrase to mount each different
encrypted partition -- to prevent this becoming too onerous, consider using a
'one big partition' layout.
Also note that you should encrypt the swap partition, or someone coming into
possession of the laptop may be trivially able to recover secret data from it:
this is pretty automated and can be achieved by simply editing /etc/fstab to
change the mount device to eg. /dev/ad0s1b.eli and rebooting -- an ephemeral
key is used, so no typing passphrases is required in this instance. Setting up
a swap-backed tmpmfs will then then give you an encrypted /tmp too.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
