Passphraseless Disk Encryption Options?

Li, Xiao xaol at amazon.com
Tue Sep 8 18:14:46 UTC 2015 

Hi Igor,

Thanks for the suggestion! I¹m trying to achieve that the data could only
be accessed in a trusted booted system and cannot be decrypted when the
startup disk is a cold storage device. Something like FileVault on Mac OS
X (https://support.apple.com/en-us/HT204837).

I admit the protocol is broken. Like in geli, there have to be an
unencrypted /boot partition to load kernel, and the rest of the OS is on
an encrypted large storage partition. I¹m thinking if I could make it
passwordless then the passphrase or the key have to be stored on the
unencrypted partition which would definitely break the security protocol,
therefore I¹m wondering if the passphrase or the key could be protected in
the non volatile memory of some firmwares like TPM and could be retrieved
only in known system statusŠ

Thanks again!
Xiao

On 9/8/15, 10:44 AM, "owner-freebsd-hackers at freebsd.org on behalf of Igor
Mozolevsky" <owner-freebsd-hackers at freebsd.org on behalf of
igor at hybrid-lab.co.uk> wrote:

>On 8 September 2015 at 18:22, Analysiser <analysiser at gmail.com> wrote:
>
>I¹m trying to perform a whole disk encryption for my boot drive to protect
>> its data at rest. However I would like to have a mac OS X-ish full disk
>> encryption that does not explicitly ask for a passphrase and would boot
>>as
>> normal without manual input of passphrase. I tried to do it with geli(8)
>> but it seems there is no way I can avoid the manual interaction. Really
>> curious if there is a way to achieve it? Thanks!
>>
>
>
>Do you mean like DVD "encryption'? If you are able to decrypt the contents
>of the disk without something that only the person in front for the
>computer either has or knows then *anyone* would be able to decrypt it.
>
>What is the actual problem you're trying to solve? Remember that
>encryption
>is just a tool and not a solution- you need a good security protocol that
>will protect your data, and by the sound of it the protocol you propose
>(self-decrypting drive) is just broken.
>
>
>-- 
>Igor M.
>_______________________________________________
>freebsd-hackers at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

More information about the freebsd-hackers mailing list