Passphraseless Disk Encryption Options?

Peter Beckman beckman at angryox.com
Tue Sep 8 22:30:21 UTC 2015 

If logs were stored in /var and that was an encrypted volume, no problem.

If you are worried about malicious code, fingerprint your known volume of
non-changing files e.g. exclude logs, then compare the files on disk with
your fingerprint.  If they don't match, something has changed.

Easier to know that something has changed than to encrypt to prevent
change.

On Tue, 8 Sep 2015, Analysiser wrote:

> Hi Igor,
>
> I’m trying to protect my startup disk’s data from being tampered with by someone who has physically access to the disk. He might put it on some other machine, add some malicious code or check the logs stored in /var, and then put it back my machine, when the machine is stayed in some public untrusted environment. When I regain the machine from a public untrusted environment and boot the disk, some malicious code might running and try to contaminate my own network or other machines, or monitor my activities with the machine. 
>
> I hope I explained clearer this time :)
>
> Xiao
>
>
>> On Sep 8, 2015, at 3:09 PM, Igor Mozolevsky <igor at hybrid-lab.co.uk> wrote:
>> 
>> 
>> 
>> On 8 September 2015 at 22:50, Analysiser <analysiser at gmail.com <mailto:analysiser at gmail.com>> wrote:
>> Hi all,
>> 
>> Thank you so much for all the insights here! I think I is my bad not to clarify the situation very well but still I found a lot of things I could try from the replies. In my case I could not do remote passphrase and and USB boot and/or USB hold key/passphrase since the device might not always have internet access and no ports (internally or externally are exposed).
>> 
>> I think your suggestions in separating the root filesystem and user space applications and data and perform encryption only on user portion is a more reasonable practice given the time scale on the project I’m working on. Thanks again!
>> 
>> I still have some more detailed questions I’m seeking for an answer related to the full startup disk encryption:
>> 
>> 
>> <snip>
>> 
>> I think you're worrying about the problem from the wrong end- what is it that you're attempting to protect, I'm still unsure of that?..
>> 
>> 
>> -- 
>> Igor M. 
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------

More information about the freebsd-hackers mailing list