Re: Full disk encryption without root partition
On 29/12/2012 23:53, Polytropon wrote: On Sat, 29 Dec 2012 22:43:29 +0100, Martin Laabs wrote: So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. To prevent unintended modification by attacker of the boot process's components, an option would be to have the system boot from a R/O media (SD card, USB stick or USB card in stick) and then _remove_ this media when the system has been booted. Of course this requires physical presence of some kind of operator who is confirmed to handle this specific media. The rest of the system on disk and the data may be encrypted now, and if (physically) stolen, the disks are useless. I agree that such kind of security isn't possible everywhere, especially not if you cannot physically access your server. To prevent further bad things (like someone steals this boot stick), manually entering a passphrase in combination with the keys on the stick could be required. Of course a strong passphrase would have to be chosen, and not written on the USB stick. :-) The options attacker has on a _running_ system with encrypted components is a completely different topic. I think a good idea would be to store the key directly in the bootloader, but that needs a large enough partition scheme that can store the bootloader (boot0 or boot1) plus the encryption key. However this needs to add support for that in both boot files and will be bigger. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On 28/12/2012 12:29, mhca12 wrote: On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? Yes, how would you use your key if the partition is encrypted too? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sun, Dec 30, 2012 at 10:30 AM, David Demelier demelier.da...@gmail.com wrote: On 28/12/2012 12:29, mhca12 wrote: On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? Yes, how would you use your key if the partition is encrypted too? Either use a usb medium with the key on it or enter a passphrase at an interactive prompt. I got interested in this because of OpenBSD's recent bootloader changes gaining the ability to avoid an unencrypted boot partition. On Linux systems I have a similar complaint that I have to use an initramfs (initial ramdisk with the required userland to unlock the crypt volume). All the crypto code is in the linux kernel and presumably also in the BSD's case but the volume header detection/verification/unlock code seems to be relegated to userland tools which make it impossible to have just the kernel do the required work. Ultimately I'm gathering the state of art in the BSDs and Linux to get a full picture. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sun, 30 Dec 2012 10:34:51 +0100 David Demelier wrote: I think a good idea would be to store the key directly in the bootloader, but that needs a large enough partition scheme that can store the bootloader (boot0 or boot1) plus the encryption key. However this needs to add support for that in both boot files and will be bigger. I'm not sure what you are trying to say, but the master key is already in the metadata and putting user keys on the disk would render the encryption pointless. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
2012-12-26 22:17, mhca12 skrev: Are there any plans or is there already support for full disk encryption without the need for a root partition? Not exactly what asked for, but here it is http://forums.freebsd.org/showthread.php?t=2775 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
Hi, Are there any plans or is there already support for full disk encryption without the need for a boot partition? Well - what would be your benefit? OK - you might not create another partition but I think this is not the problem. From the point of security you would not get any improvement because some type of software has to be unencrypted. And this software could be manipulated to do things like e.g. send the encryption key to attacker. So from this point of view there is no difference whether the kernel is unencrypted or any other type of software (that runs before the kernel) is unencrypted. There is a solution named secureboot together with TPM but this introduces some other aspects that are not so very welcome in the open source community. So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. Best regards, Martin Laabs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sat, 29 Dec 2012 22:43:29 +0100, Martin Laabs wrote: So from the security point of view it might be a good choice to have a unencrypted and (hardware) readonly boot partition. To prevent unintended modification by attacker of the boot process's components, an option would be to have the system boot from a R/O media (SD card, USB stick or USB card in stick) and then _remove_ this media when the system has been booted. Of course this requires physical presence of some kind of operator who is confirmed to handle this specific media. The rest of the system on disk and the data may be encrypted now, and if (physically) stolen, the disks are useless. I agree that such kind of security isn't possible everywhere, especially not if you cannot physically access your server. To prevent further bad things (like someone steals this boot stick), manually entering a passphrase in combination with the keys on the stick could be required. Of course a strong passphrase would have to be chosen, and not written on the USB stick. :-) The options attacker has on a _running_ system with encrypted components is a completely different topic. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sat, 29 Dec 2012 22:43:29 +0100 Martin Laabs wrote: Hi, Are there any plans or is there already support for full disk encryption without the need for a boot partition? Well - what would be your benefit? OK - you might not create another partition but I think this is not the problem. From the point of security you would not get any improvement because some type of software has to be unencrypted. And this software could be manipulated to do things like e.g. send the encryption key to attacker. So from this point of view there is no difference whether the kernel is unencrypted or any other type of software (that runs before the kernel) is unencrypted. And the advantage of putting the boot partition on a memory stick is that it's much easier to keep such a device physically secure. Bootstrapping code on the main hard drive is easier to attack. IIRC someone demonstrated such an attack against one of the commercial encryption packages. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. cs@ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Full disk encryption without root partition
Are there any plans or is there already support for full disk encryption without the need for a root partition? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org