Passphraseless Disk Encryption Options?
Peter Beckman
beckman at angryox.com
Tue Sep 8 20:50:48 UTC 2015
On Tue, 8 Sep 2015, Li, Xiao via freebsd-hackers wrote:
> To clarify more, I’m trying to protect a headless device that has FreeBSD
> installed on it. There is no usb/video input, only NIC and power are
> exposed. And I’m trying to protect its bootable drive.
Seems to me that you would need one of the following:
a) An unencrypted boot system that started up networking and an SSH
daemon. Then you connect via SSH, "enter the encryption pass phrase"
and then the system shuts down the bootstrapped system and boots the
real OS.
b) A USB key, or some other hardware, installed in the physical system
that the booting OS can access to magically auto-decrypt the OS as it
boots. If they steal the drive but not the hardware, the drive is
safe. If they steal it all, you're hosed.
c) A network device which the OS knows to pass a public-key signed
request to in order to receive back a private-key signed response that,
when decrypted, contains the decryption passphrase. An HSM might
work here
What most people are saying is that FileVault requires you to enter a
password to decrypt your account. You don't want to/can't do this. And if
you store the decryption key on the server, as others have said, you have
no security. Like leaving your house key under the front door mat.
Maybe what you need is instead of disk-level encryption is account-level
encryption if you are more worried about the security of the data stored
in non-root accounts.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
More information about the freebsd-hackers
mailing list