Passphraseless Disk Encryption Options?
Fabian Keil
freebsd-listen at fabiankeil.de
Wed Sep 9 09:57:37 UTC 2015
Analysiser <analysiser at gmail.com> wrote:
> I’m trying to protect my startup disk’s data from being tampered with
> by someone who has physically access to the disk. He might put it on some
> other machine, add some malicious code or check the logs stored in /var,
> and then put it back my machine, when the machine is stayed in some public
> untrusted environment. When I regain the machine from a public untrusted
> environment and boot the disk, some malicious code might running and try
> to contaminate my own network or other machines, or monitor my activities
> with the machine.
You can boot the system using an encrypted root pool by putting a
geli keyfile and essential parts of the kernel on an unencrypted
boot pool that is destroyed and overwritten once the system has
booted.
I do that with ElectroBSD but it works on vanilla FreeBSD as
well. It's not perfect, but depending on your threat model it
may be good enough:
https://www.fabiankeil.de/gehacktes/electrobsd/#fde
https://www.fabiankeil.de/gehacktes/cloudiatr/
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20150909/7bde7d84/attachment.bin>
More information about the freebsd-hackers
mailing list