ZFS How to use Geli without type passphrase

Actually, I am rather interested if the TPM 1.2 standard can be used from free and open code. Or do you need some proprietary keys to access the TPM?
Have a look at security/gnutls, it comes with tpmtool(1).
And there is security/trousers, but FreeBSD’s port/package does not provide the TPM management commands as does the Linux version. Not available on FreeBSD:


Here is an article using TPM for full disk encryption:
 
Mildly off-topic but I am still not clear why people choose to have the OS partition(s) encrypted. What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand. I fully understand protecting end user data with encryption in case of a physical theft.
 
You should probably revoke those keys in any case, even if you know they're stored on an encrypted volume.
 
Mildly off-topic but I am still not clear why people choose to have the OS partition(s) encrypted. What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand. I fully understand protecting end user data with encryption in case of a physical theft.

I was thinking about that for a while, and came to the conclusion to not encrypt the root - mainly for convenience reasons: I want a basic singleuser OS to come up in case of problems, because that is my main toolkit to fix the other things, eg. rc.d issues, hw issues... and in such a case, when there are problems already, I don't want to bother with other things, like broken CD readers, usb boot support gone fishing, or encryption.

But I found there is quite a lot of things to be taken care of. As SirDice mentioned, there may be stuff spamming /etc that do not belong there. But then there is also the issue of /var. The OS wants /var to be there, vi doesn't run when it is missing, other things may, too.
So you have to look into there, understand what all that stuff is good for, and devise a solution. Maybe having a limited /var directory on the root filesystem and overmounting during boot (which may bring other problems).
 
What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand.
2 simple reasons for me to almost never go unencrypted:
*) In case of theft I don't have to worry about my data. There is still stuff that is temporarily downloaded to /tmp in firefox or thunderbird or whatever. Defect head of a harddisk? just throw it away, I don't have to worry that some hobby forensics try to recover my bitcoin wallet or emails...
*) It is much harder to tamper my system while I am gone and someone tries to spy on me.
 
So, if the system is running, encryption provides no protection. Encrypting a drive only protects against physical theft. Not saying you shouldn't encrypt, but just be aware of what it does protect and under what circumstances.
 
So, if the system is running, encryption provides no protection. Encrypting a drive only protects against physical theft. Not saying you shouldn't encrypt, but just be aware of what it does protect and under what circumstances.
yes, exactly. encrypting data at rest is just a first step in a security strategy. I use gpg, openssl etc. to keep my most important data on that disk a 2nd time encrypted, just in case my browser gets hacked or whatever...
 
Back
Top