GEOM/GELI Boot Disk Encryption

Eric Crist mnslinky at gmail.com
Fri Jun 8 12:16:48 UTC 2007


On Jun 7, 2007, at 9:54 AMJun 7, 2007, cpghost wrote:

> On Wed, Jun 06, 2007 at 07:00:44PM +0200, Roland Smith wrote:
> You may wish to (at least) encrypt swap partitions, /tmp and /var/tmp,
> and probably /usr/tmp (if it's not a symlink to encrypted /var/tmp) in
> addition to /home. Most userland programs can leak sensitive date  
> there
> that you'd rather have encrypted too.
>
> Add to this: stuff like /var/db (esp. useful for /var/db/pgsql,
> /var/db/mysql, mail spool directories and some such), and maybe
> /var/log as well. Encrypting the complete /var filesystem is
> easier though... Some ports also use /usr/local/www to store
> user-specific data, but what's the point of encrypting this? ;-)
>

> Regards,
> -cpghost.

So, back to encrypting my entire disk, I just need to put the boot  
partition on its own slice?

There's all the bits available to start up the decryption stuff after  
that loads, so I can make my entire system, swap and all, encrypted,  
right?

Eric


More information about the freebsd-questions mailing list