Reply
 
Thread Tools Display Modes
  #1  
Old 03-04-2011, 05:19 PM
Skull Fire Skull Fire is offline
Senior Member
 
Join Date: Feb 2011
Posts: 218
Thanks: 0
Thanked 0 Times in 0 Posts
Default Disk Encryption
The beauty with PC-BSD is you can install all slices including /boot and swap on the same partition(primary partition), and an attacker will only see the one partition, he wont know what slices, mount points, or where each is located inside of that partition, atleast not without forensics, or gaining access another way, and that would take some work as only boot and swap would be unencrypted, using forensics to scan the entire partiton to find to small pieces of unencrypted space on a slight maybe chance that something important was written to swap is not realistic in my opinion.

I believe the PC-BSD handbook mentions a security risk with encrypting / as keys would need to be installed in /boot,but that risk is greatly increased if /boot is written to its own primary partition, as again, an attacker can more easily see a primary partition and focas his/her efforts to accessing it, and because it would need to be unencrypted it is more vulnerable. but if installed as a slice inside a single partition with the rest of the PC-BSD install, it can not opened and viewed casually.

openBSD is different because you see every slice after install, even though it too can be installed to 1 partition.

if you open up dolphin,or windows partiton manager from another os to look at the pc-bsd install you will only see that 1 partiton if you install all slices inside of 1 primary partition. even though most, not all, of the partition is encrypted you cant access the partition at all without a password. in this way, no one can casually look at your swap or /boot.

i have 2 suggestions to those wanting to encryt(we will assume 100gb for install):
option 1(pain free): use 1 primary partition. put 3 slices inside that partition:
500mb /boot ufs (only ufs !) no encryption
97.5gb choose zfs and add these mount point points to the same slice:/,/var,/usr, and /home (yes ! all 4 mount points on 1 slice,zfs can do it) encrypt
2gb swap unencrypted

option 2(painful, mixxed results, some install and boot failures): use a usb flash drive and install a 500mb partition(do not use pc-bsd to create the partition)
500mb /boot ufs (only ufs !) no encryption, installed to the usb flash drive
98gb choose zfs and add these mount point points to the same slice:/,/var,/usr, and /home (yes ! all 4 mount points on 1 slice,zfs can do it) encrypt
2gb swap unencrypted

*NOTE: i would say option 2 is not successful at the moment, until install and boot success rate get higher. its a work in progress, if i get better results i will edit this.
Edit** 1 problem with option 2 is the pc-bsd bootloader only can see the 4 partitions on the hd that / is installed to, though you can f5 to the next hard drive during start up, however f5 wont jump to boot from the flash drive. i have tried booting from the flash drive, and also using other os's bootloaders to start pc-bsd from the /boot on the flash drive, all end in boot failure at the moment.

install swap last, for some reason installing swap before / can result in install/boot failures.

for me, trying to encrypt swap anyway has resulted in password recognition failures for swap during start up, as pointed out above, if swap is installed as a slice inside one partition with the rest of the system, noone can access it anyway.

please post any positive results, work arounds, or other thoughts.

Last edited by Skull Fire; 04-08-2011 at 11:38 PM.
Reply With Quote
  #2  
Old 07-02-2011, 04:49 PM
Skull Fire Skull Fire is offline
Senior Member
 
Join Date: Feb 2011
Posts: 218
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I plan to do some testing in the near future with 9.0 and will edit the above for any changes, enhancements and other ideas.
__________________
multi-booting PC-BSD 8.2 64bit and others; all KDE all the time
intel core2 duo e6600 @ 3.0
biostar tpower i45
6gb DDR2 800
nvidia 9800gt
Reply With Quote
  #3  
Old 09-20-2011, 02:20 AM
Loki44 Loki44 is offline
Junior Member
 
Join Date: Jul 2011
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Originally Posted by Skull Fire View Post
I plan to do some testing in the near future with 9.0 and will edit the above for any changes, enhancements and other ideas.
How can you test this stuff? Encryption is great, don't make it easy for them, once 'they' have your computer do not think 'they' can't get into it. What do you really know about 'geli' and it's capabilities? It's not that the bad guys have super cpu's it's just that 'they' have lots of clustered computers that is doing more flops than you and I could dream of.

As for OpenBSD, well, how do hackers get in, they exploit programming errors (code audit/s) and randomising buffer.. Gee, stack based overflow here, so, lets exploit it..Oh, man can feed code to that buffer, that program/exploit isn't there. FreeBSD adopted PF and they could also adopt other things from OpenBSD
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:15 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.