ZFS How to use Geli without type passphrase

weberjn said:
Actually, I am rather interested if the TPM 1.2 standard can be used from free and open code. Or do you need some proprietary keys to access the TPM?
Click to expand...
Have a look at security/gnutls, it comes with tpmtool(1).
And there is security/trousers, but FreeBSD’s port/package does not provide the TPM management commands as does the Linux version. Not available on FreeBSD:


Here is an article using TPM for full disk encryption:

TPM + LUKS = BitLocker full disk encryption for Linux

Solution: Thanks for the information! We have a How-To section where you can place this and format it, etc.You might want to do that
community.spiceworks.com
 
Mildly off-topic but I am still not clear why people choose to have the OS partition(s) encrypted. What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand. I fully understand protecting end user data with encryption in case of a physical theft.
 
You should probably revoke those keys in any case, even if you know they're stored on an encrypted volume.
 
Sevendogsbsd said:
Mildly off-topic but I am still not clear why people choose to have the OS partition(s) encrypted. What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand. I fully understand protecting end user data with encryption in case of a physical theft.
Click to expand...

I was thinking about that for a while, and came to the conclusion to not encrypt the root - mainly for convenience reasons: I want a basic singleuser OS to come up in case of problems, because that is my main toolkit to fix the other things, eg. rc.d issues, hw issues... and in such a case, when there are problems already, I don't want to bother with other things, like broken CD readers, usb boot support gone fishing, or encryption.

But I found there is quite a lot of things to be taken care of. As SirDice mentioned, there may be stuff spamming /etc that do not belong there. But then there is also the issue of /var. The OS wants /var to be there, vi doesn't run when it is missing, other things may, too.
So you have to look into there, understand what all that stuff is good for, and devise a solution. Maybe having a limited /var directory on the root filesystem and overmounting during boot (which may bring other problems).
 
Sevendogsbsd said:
What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand.
Click to expand...
2 simple reasons for me to almost never go unencrypted:
*) In case of theft I don't have to worry about my data. There is still stuff that is temporarily downloaded to /tmp in firefox or thunderbird or whatever. Defect head of a harddisk? just throw it away, I don't have to worry that some hobby forensics try to recover my bitcoin wallet or emails...
*) It is much harder to tamper my system while I am gone and someone tries to spy on me.
 
So, if the system is running, encryption provides no protection. Encrypting a drive only protects against physical theft. Not saying you shouldn't encrypt, but just be aware of what it does protect and under what circumstances.
 
Sevendogsbsd said:
So, if the system is running, encryption provides no protection. Encrypting a drive only protects against physical theft. Not saying you shouldn't encrypt, but just be aware of what it does protect and under what circumstances.
Click to expand...
yes, exactly. encrypting data at rest is just a first step in a security strategy. I use gpg, openssl etc. to keep my most important data on that disk a 2nd time encrypted, just in case my browser gets hacked or whatever...
 
Sevendogsbsd said:
Mildly off-topic but I am still not clear why people choose to have the OS partition(s) encrypted. What does this protect? While running, it protects nothing, same as the end user data, but if a disk gets physically stolen it protects against data loss, but it's an OS so that's the part I don't understand. I fully understand protecting end user data with encryption in case of a physical theft.
Click to expand...
Imagine that your server works at remote place where external people have physical access to hardware. They don't have any access to OS (server does background work). What is the difference between encrypted partition and unencrypted? The difference is that external people can get data or security keys from this server - power off, remove HDD, attach to other PC and mount the file system. What they will do when the disk is encrypted? The only thing they can do is to try to read the RAM until it still keeps last values and scan for password/private key/etc.
 
The explanation that 6502 gave is correct. The crucial question here is: where is the key required to unlock the disk (or decrypt its content) stored? Imagine for a moment that it is stored by writing it (with a pen) on the paper label on the disk, or on a yellow sticker on the case of the computer that contains the disk. Then anyone who gets physical access or control of computer or disk can read the disk. In this scenario, encryption is mostly useless.

Similarly, partitioning the disk into a (small) unencrypted part and a (large) encrypted one, and then storing the key on the unencrypted partition, is mostly useless: if the thief knows enough about how to use computers, they can unlock the disk. So this demonstrates that the key has to be kept safely and far away from the disk. One good place is the brain of the user or administrator, but brains are notoriously unreliable, they fail often, and they are expensive at scale. So you have to build a key storage and distribution infrastructure.
 
You must log in or register to reply here.
Back
Top