Full disk encryption without root partition
Martin Laabs
info at martinlaabs.de
Sat Dec 29 21:56:07 UTC 2012
Hi,
>> Are there any plans or is there already support for full
>> disk encryption without the need for a boot partition?
Well - what would be your benefit? OK - you might not create another
partition but I think this is not the problem.
>From the point of security you would not get any improvement because some
type of software has to be unencrypted. And this software could be
manipulated to do things like e.g. send the encryption key to <attacker>.
So from this point of view there is no difference whether the kernel is
unencrypted or any other type of software (that runs before the kernel) is
unencrypted.
There is a solution named secureboot together with TPM but this introduces
some other aspects that are not so very welcome in the open source community.
So from the security point of view it might be a good choice to have a
unencrypted and (hardware) readonly boot partition.
Best regards,
Martin Laabs
More information about the freebsd-questions
mailing list