Passphraseless Disk Encryption Options?
Fraser Tweedale
frase at frase.id.au
Wed Sep 9 02:53:25 UTC 2015
On Tue, Sep 08, 2015 at 10:22:21AM -0700, Analysiser wrote:
> Hi,
>
> I’m trying to perform a whole disk encryption for my boot drive to protect its data at rest. However I would like to have a mac OS X-ish full disk encryption that does not explicitly ask for a passphrase and would boot as normal without manual input of passphrase. I tried to do it with geli(8) but it seems there is no way I can avoid the manual interaction. Really curious if there is a way to achieve it? Thanks!
>
>
> Xiao
>
If the machine is on a trusted network, and if networking
capabilities are available in the boot environment, you can
coordinate with another host to decrypt the secret key and boot
without operator intervention.
In the scheme proposed in [1] the secret is encrypted locally and
sent to a trusted server for decryption (TLS protects the secret on
the wire). A variation of this protocol that does not expose the
secret to the decryption service or on the wire is being
investigated.
You can watch a demo[2] of the system in action.
The tech is all very Red Hat-centric at the moment but the general
approach or the specific protocol could be implemented for FreeBSD.
[1] http://www.freeipa.org/page/Network_Bound_Disk_Encryption
[2] https://www.youtube.com/watch?v=lyDmhhVgXEc
Cheers,
Fraser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20150909/7a716ca0/attachment.bin>
More information about the freebsd-hackers
mailing list