harddrive encryption
Modulok
modulok at gmail.com
Tue Jan 18 05:05:55 UTC 2011
On 1/17/11, Roland Smith <rsmith at xs4all.nl> wrote:
> On Mon, Jan 17, 2011 at 09:30:39PM +0100, Alokat wrote:
>> Hi,
>>
>> is it possible to encrypt my full harddrive (excluding /boot) during a
>> freebsd installation. Or do I have to do this after the installation
>> manually?
>
> Currently you have to do it manually afterwards.
>
> Personally, I would not bother encrypting the OS data; there is nothing
> secret
> there, and it does have a performance impact. Plus it would provide ample
> material for a known-plaintext attack!
>
Modern ciphers such as AES are not susceptible to known plaintext
attacks. The advantage to full disk encryption, including operating
system data, is that nothing is ever accidently missed. The hard drive
can safely be thrown out when it fails or is decomissioned, with no
worry that some temporary file or database somewhere you forgot about,
wasn't on the right partition.
Regardless, these are only offline protections from physical theft for
low to moderately motivated attackers. If you had a database of
medical or financial records, disk encryption is probably a good
thing. Otherwise http://xkcd.com/538/
The real danger, is loss or corruption of the decryption keys. Make backups!
-Modulok-
More information about the freebsd-questions
mailing list