Passphraseless Disk Encryption Options?
Li, Xiao
xaol at amazon.com
Tue Sep 8 18:28:03 UTC 2015
To clarify more, I’m trying to protect a headless device that has FreeBSD
installed on it. There is no usb/video input, only NIC and power are
exposed. And I’m trying to protect its bootable drive.
On 9/8/15, 11:14 AM, "owner-freebsd-hackers at freebsd.org on behalf of
Hackers freeBSD" <owner-freebsd-hackers at freebsd.org on behalf of
freebsd-hackers at freebsd.org> wrote:
>Hi Igor,
>
>Thanks for the suggestion! I¹m trying to achieve that the data could only
>be accessed in a trusted booted system and cannot be decrypted when the
>startup disk is a cold storage device. Something like FileVault on Mac OS
>X (https://support.apple.com/en-us/HT204837).
>
>I admit the protocol is broken. Like in geli, there have to be an
>unencrypted /boot partition to load kernel, and the rest of the OS is on
>an encrypted large storage partition. I¹m thinking if I could make it
>passwordless then the passphrase or the key have to be stored on the
>unencrypted partition which would definitely break the security protocol,
>therefore I¹m wondering if the passphrase or the key could be protected in
>the non volatile memory of some firmwares like TPM and could be retrieved
>only in known system statusŠ
>
>Thanks again!
>Xiao
>
>On 9/8/15, 10:44 AM, "owner-freebsd-hackers at freebsd.org on behalf of Igor
>Mozolevsky" <owner-freebsd-hackers at freebsd.org on behalf of
>igor at hybrid-lab.co.uk> wrote:
>
>>On 8 September 2015 at 18:22, Analysiser <analysiser at gmail.com> wrote:
>>
>>I¹m trying to perform a whole disk encryption for my boot drive to
>>protect
>>> its data at rest. However I would like to have a mac OS X-ish full disk
>>> encryption that does not explicitly ask for a passphrase and would boot
>>>as
>>> normal without manual input of passphrase. I tried to do it with
>>>geli(8)
>>> but it seems there is no way I can avoid the manual interaction. Really
>>> curious if there is a way to achieve it? Thanks!
>>>
>>
>>
>>Do you mean like DVD "encryption'? If you are able to decrypt the
>>contents
>>of the disk without something that only the person in front for the
>>computer either has or knows then *anyone* would be able to decrypt it.
>>
>>What is the actual problem you're trying to solve? Remember that
>>encryption
>>is just a tool and not a solution- you need a good security protocol that
>>will protect your data, and by the sound of it the protocol you propose
>>(self-decrypting drive) is just broken.
>>
>>
>>--
>>Igor M.
>>_______________________________________________
>>freebsd-hackers at freebsd.org mailing list
>>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>>To unsubscribe, send any mail to
>>"freebsd-hackers-unsubscribe at freebsd.org"
>
>_______________________________________________
>freebsd-hackers at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list