Partitioning and encryption questions

M

Malurk

I want to install FreeBSD and I have some questions about partitioning. I would like to keep all my data encrypted but I don't need programs encrypted. I understand that I should encrypt /home, /var and /tmp, and leave root unencrypted, but should I also encrypt /usr? What kind of files will /usr contain?

It would be quite nice if I could boot up without opening the encrypted drives, and then login via ssh and open them. Is this possible? That is can you boot and get an ssh server running without /home, /var and /tmp? Or maybe I could have one /home, /var and /tmp as directories on the root partition and then mounting the encrypted versions over them once I have logged in? Or is this a bad idea?
 
Malurk said:
What kind of files will /usr contain?
Click to expand...
See hier(7).

It would be quite nice if I could boot up without opening the encrypted drives, and then login via ssh and open them. Is this possible? That is can you boot and get an ssh server running without /home, /var and /tmp?
Click to expand...
It might be possible but you won't be able to login because /home/ is not accessable.

Why don't you just create a seperate encrypted filesystem and mount it under your home directory when you need it?
 
That would be simpler, yes. But I think that there is a risk that traces of confidential data will end up in /tmp and /var. Also, things like bash_history will not be encrypted.
 
But, if you are doing something that you want to potentially hide (such as encrypting what you type), isn't it logical to want to hide tools that you use? You are already encrypting most of the stuff, why bother leaving something out. You won't really feel a difference in performance.
 
Yes, whole disk encryption is probably the best solution. Just wanted to see if there is a way to boot without password and then open things up over ssh, but I can see that it would be difficult.
 
Use a board with IPMI. Or use some thin device that you can SSH into always, with serial interconnection to your main computer.
 
You must log in or register to reply here.
Back
Top