Disk Encryption
The beauty with PC-BSD is you can install all slices including /boot and swap on the same partition(primary partition), and an attacker will only see the one partition, he wont know what slices, mount points, or where each is located inside of that partition, atleast not without forensics, or gaining access another way, and that would take some work as only boot and swap would be unencrypted, using forensics to scan the entire partiton to find to small pieces of unencrypted space on a slight maybe chance that something important was written to swap is not realistic in my opinion.
I believe the PC-BSD handbook mentions a security risk with encrypting / as keys would need to be installed in /boot,but that risk is greatly increased if /boot is written to its own primary partition, as again, an attacker can more easily see a primary partition and focas his/her efforts to accessing it, and because it would need to be unencrypted it is more vulnerable. but if installed as a slice inside a single partition with the rest of the PC-BSD install, it can not opened and viewed casually.
openBSD is different because you see every slice after install, even though it too can be installed to 1 partition.
if you open up dolphin,or windows partiton manager from another os to look at the pc-bsd install you will only see that 1 partiton if you install all slices inside of 1 primary partition. even though most, not all, of the partition is encrypted you cant access the partition at all without a password. in this way, no one can casually look at your swap or /boot.
i have 2 suggestions to those wanting to encryt(we will assume 100gb for install):
option 1(pain free): use 1 primary partition. put 3 slices inside that partition:
500mb /boot ufs (only ufs !) no encryption
97.5gb choose zfs and add these mount point points to the same slice:/,/var,/usr, and /home (yes ! all 4 mount points on 1 slice,zfs can do it) encrypt
2gb swap unencrypted
option 2(painful, mixxed results, some install and boot failures): use a usb flash drive and install a 500mb partition(do not use pc-bsd to create the partition)
500mb /boot ufs (only ufs !) no encryption, installed to the usb flash drive
98gb choose zfs and add these mount point points to the same slice:/,/var,/usr, and /home (yes ! all 4 mount points on 1 slice,zfs can do it) encrypt
2gb swap unencrypted
*NOTE: i would say option 2 is not successful at the moment, until install and boot success rate get higher. its a work in progress, if i get better results i will edit this.
Edit** 1 problem with option 2 is the pc-bsd bootloader only can see the 4 partitions on the hd that / is installed to, though you can f5 to the next hard drive during start up, however f5 wont jump to boot from the flash drive. i have tried booting from the flash drive, and also using other os's bootloaders to start pc-bsd from the /boot on the flash drive, all end in boot failure at the moment.
install swap last, for some reason installing swap before / can result in install/boot failures.
for me, trying to encrypt swap anyway has resulted in password recognition failures for swap during start up, as pointed out above, if swap is installed as a slice inside one partition with the rest of the system, noone can access it anyway.
please post any positive results, work arounds, or other thoughts.
Last edited by Skull Fire; 04-08-2011 at 11:38 PM.
|
Hybrid Mode
