Full Disk Encryption

Z

Zwitterion

Gawd
Joined
Dec 15, 2002
Messages
938
Can anyone tell me of any full hard drive encryption products out there that just access as a layer of the operating system, a sort of on the fly kind of encryption? I've taken a look at truecrypt but I was wondering if there was anything else out there that can achieve this.
 
The problem with that idea, is the kernel can't be loaded with decrypting it first, which then leads to the boot loader requiring decryption support, and if it doesn't fit entirely on the MBR, then you need an unencrypted segment to hold it. From their it doesn't sound nearly as difficult, but including an MBR that can decrypt the file system enough to load the kernel sounds like a bit of a hassle, but not impossible.
 
You can use geli or gbde on FreeBSD to encrypt a partition (or any other GEOM provider). It is even possible to have the root partition on a geli-encrypted device, but I have no idea how much work that is to set up.

See the handbook for a short guide.
 
Zwitterion said:
Can anyone tell me of any full hard drive encryption products out there that just access as a layer of the operating system, a sort of on the fly kind of encryption? I've taken a look at truecrypt but I was wondering if there was anything else out there that can achieve this.
Click to expand...

Take a look at encfs or loop-aes. There are more options, like LUKS, but the two I mentioned before are more popular; there are several HOWTOs available for them also.
 
We can note that the upcoming debian release features full disk encryption as an installation option, so it'll probably become rather more popular soon.
 
Xipher said:
The problem with that idea, is the kernel can't be loaded with decrypting it first, which then leads to the boot loader requiring decryption support, and if it doesn't fit entirely on the MBR, then you need an unencrypted segment to hold it. From their it doesn't sound nearly as difficult, but including an MBR that can decrypt the file system enough to load the kernel sounds like a bit of a hassle, but not impossible.
Click to expand...

THAT is why you have a small (~64meg) /boot partition that is straight ext2
 
eeyrjmr said:
THAT is why you have a small (~64meg) /boot partition that is straight ext2
Click to expand...
Yes, but that means the entire disk isn't encrypted (I know, that is getting picky, but counts). Also, make sure you do need some sort of user input in order for the kernel to actually do the decryption, other wise it means jack squat since you hand any one that can grab the HD the keys to decrypt it any way.
 
Xipher said:
The problem with that idea, is the kernel can't be loaded with decrypting it first, which then leads to the boot loader requiring decryption support, and if it doesn't fit entirely on the MBR, then you need an unencrypted segment to hold it. From their it doesn't sound nearly as difficult, but including an MBR that can decrypt the file system enough to load the kernel sounds like a bit of a hassle, but not impossible.
Click to expand...
Even with a boot loader that supports encryption, you still cannot achieve full disk encryption. The boot loader must be unencrypted otherwise you will not be able to load it.
 
jimmyb said:
Even with a boot loader that supports encryption, you still cannot achieve full disk encryption. The boot loader must be unencrypted otherwise you will not be able to load it.
Click to expand...
Yea, unless you put the boot loader on a CD :)
 
touche. And then the disk just looks like random bits, ideally indistinguishable from a disk with no information on it.

I looked into getting grub booting off a cdrom a year or so back and didn't have any luck. I don't think it was supported at the time.
 
Put the bootloader and key on a USB keydrive and you're fine. The unencrypted information is only needed on boot and it's silly to keep anything unecrypted, sooooo... USB or CD-ROM (business card type anyone?).
 
jimmyb said:
touche. And then the disk just looks like random bits, ideally indistinguishable from a disk with no information on it.

I looked into getting grub booting off a cdrom a year or so back and didn't have any luck. I don't think it was supported at the time.
Click to expand...

Why not use syslinux?
 
You must log in or register to reply here.
Back
Top