Re: Full disk encryption without root partition
On 29/12/2012 23:53, Polytropon wrote: On Sat, 29 Dec 2012 22:43:29 +0100, Martin Laabs wrote: So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. To prevent unintended modification by attacker of the boot process's components, an option would be to have the system boot from a R/O media (SD card, USB stick or USB card in stick) and then _remove_ this media when the system has been booted. Of course this requires physical presence of some kind of operator who is confirmed to handle this specific media. The rest of the system on disk and the data may be encrypted now, and if (physically) stolen, the disks are useless. I agree that such kind of security isn't possible everywhere, especially not if you cannot physically access your server. To prevent further bad things (like someone steals this boot stick), manually entering a passphrase in combination with the keys on the stick could be required. Of course a strong passphrase would have to be chosen, and not written on the USB stick. :-) The options attacker has on a _running_ system with encrypted components is a completely different topic. I think a good idea would be to store the key directly in the bootloader, but that needs a large enough partition scheme that can store the bootloader (boot0 or boot1) plus the encryption key. However this needs to add support for that in both boot files and will be bigger. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On 28/12/2012 12:29, mhca12 wrote: On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? Yes, how would you use your key if the partition is encrypted too? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sun, Dec 30, 2012 at 10:30 AM, David Demelier demelier.da...@gmail.com wrote: On 28/12/2012 12:29, mhca12 wrote: On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? Yes, how would you use your key if the partition is encrypted too? Either use a usb medium with the key on it or enter a passphrase at an interactive prompt. I got interested in this because of OpenBSD's recent bootloader changes gaining the ability to avoid an unencrypted boot partition. On Linux systems I have a similar complaint that I have to use an initramfs (initial ramdisk with the required userland to unlock the crypt volume). All the crypto code is in the linux kernel and presumably also in the BSD's case but the volume header detection/verification/unlock code seems to be relegated to userland tools which make it impossible to have just the kernel do the required work. Ultimately I'm gathering the state of art in the BSDs and Linux to get a full picture. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Strange mouse behavior in Gnome2
Hi, I have a strange problem with my mouse while using Gnome2 (same problem with KDE) on FreeBSD 9: mouseclicks aren't working if I open another window, my testcase is opening the keyboard-settings and trying to add another Layout, but its the same with other windows. I can't even open an terminal without loosing control of the panel and the other windows. I can close and manipulate the windows with my keyboard. I tried everything I could find about HAL and X, but nothing helped. I hope you can help me. Alexander Lindemann ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sun, 30 Dec 2012 10:34:51 +0100 David Demelier wrote: I think a good idea would be to store the key directly in the bootloader, but that needs a large enough partition scheme that can store the bootloader (boot0 or boot1) plus the encryption key. However this needs to add support for that in both boot files and will be bigger. I'm not sure what you are trying to say, but the master key is already in the metadata and putting user keys on the disk would render the encryption pointless. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SaMBa 4 - man pages
Hi all, When installing Samba4 on FreeBSD 9.1, the man pages are not installed. Does anyone know why this happens? Thanks!! -- Celso Vianna BSD User: 51318 http://www.bsdcounter.org Palmas/TO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
problem after installkernel going from 9.0 to CURRENT
Situation: One of my boxes failed, and for various reasons it became easier to just scrub and rebuild it. 1) Using BSDinstall, I created the first disk: ada0p1 freebsd-boot128k ada0p2 freebsd-swap4g ada0p3 freebsd-ufs 25g 2) Installed off the CD, got it up and running, everything was good. 3) Like it's predecessor, this wants to run CURRENT. Used csup (tag=.) to update the source tree as of midnight last night. 4) Built world - OK. Build kernel - OK. Ran mergemaster - OK. Installed kernel - OK. 5) On rebooting, the loader(??) claims to not be able to find a bootable partition - i.e. I get a screen that ends in mountpoint . Providing the presumptive value by hand returns error 19. 6) Boot using installation CD and use gpart show to double check device names and partitions; everything looks good. 7) Try normal booting again, no go. This is my first time installing to a GPT partitioned system, and I have (obviously) failed to grok something. I checked src/UPDATING and found nothing which covered this. What is it, and how do I fix it? Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problem after installkernel going from 9.0 to CURRENT
On Sun, 30 Dec 2012 17:26:40 -0500, Robert Huff wrote: Used csup (tag=.) to update the source tree as of midnight last night. This seems to be discouraged today. Instead svn should be used. 5) On rebooting, the loader(??) claims to not be able to find a bootable partition - i.e. I get a screen that ends in mountpoint . Are you sure this isn't the mountroot prompt? It indicates that the / partition cannot be mounted to continue booting. Maybe you can interrupt at the boot loader and examine the mount source for /, or manually set it to be ada0p1? Providing the presumptive value by hand returns error 19. No root partition, probably. :-) This is my first time installing to a GPT partitioned system, and I have (obviously) failed to grok something. I checked src/UPDATING and found nothing which covered this. That's why _I_ prefer old-fashioned MBR partitioning with sysinstall which has never failed me. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problem after installkernel going from 9.0 to CURRENT
On 12/30/2012 6:24 PM, Polytropon wrote: Used csup (tag=.) to update the source tree as of midnight last night. This seems to be discouraged today. Instead svn should be used. I'm using this for ports, will convert for source ... probably in the next round after I deal with this. 5) On rebooting, the loader(??) claims to not be able to find a bootable partition - i.e. I get a screen that ends in mountpoint . Are you sure this isn't the mountroot prompt? Right you are; sorry, typing from memory on a different system. It indicates that the / partition cannot be mounted to continue booting. Maybe you can interrupt at the boot loader and examine the mount source for /, or manually set it to be ada0p1? I'll try that. Providing the presumptive value by hand returns error 19. No root partition, probably. :-) Duh. :-) That's why _I_ prefer old-fashioned MBR partitioning with sysinstall which has never failed me. :-) There's something to be said for that. On the other hand, GPT is the rising tide and one has to learn to swim sometimes. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Strange mouse behavior in Gnome2
On 30/12/2012 23:21, Alexander Lindemann wrote: Hi, I have a strange problem with my mouse while using Gnome2 (same problem with KDE) on FreeBSD 9: mouseclicks aren't working if I open another window, my testcase is opening the keyboard-settings and trying to add another Layout, but its the same with other windows. I can't even open an terminal without loosing control of the panel and the other windows. I can close and manipulate the windows with my keyboard. I tried everything I could find about HAL and X, but nothing helped. I hope you can help me. Start with the basics - is one mouse and keyboard the only input devices you have? Are they plugged straight into the motherboard sockets? I ask this as I have just tried running the mouse through a usb hub that turned out to be flaky causing it to have erratic behaviour. I have also seen a second mouse and a wacom tablet interfere with a mouse. The two mice came from a wireless keyboard/mouse combo where the mouse was useless (actually it was a logitech wireless combo, the mouse was going to sleep even as I was using it) - the wireless transceiver always responded as a mouse and keyboard even if the mouse had no battery to respond. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bad gpg signature on 9.1 announcement mail?
Anyone else having trouble verifying the signature on the announcement mail? If your's works, can you inline a base64 encoded version of the verified message text so I can see what's wrong with my verifier? Thanks. gpg --verify msg.txt.asc msg.txt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
