# Partitioning and encryption questions



## Malurk (May 21, 2011)

I want to install FreeBSD and I have some questions about partitioning. I would like to keep all my data encrypted but I don't need programs encrypted. I understand that I should encrypt /home, /var and /tmp, and leave root unencrypted, but should I also encrypt /usr? What kind of files will /usr contain?

It would be quite nice if I could boot up without opening the encrypted drives, and then login via ssh and open them. Is this possible? That is can you boot and get an ssh server running without /home, /var and /tmp? Or maybe I could have one /home, /var and /tmp as  directories on the root partition and then mounting the encrypted versions over them once I have logged in? Or is this a bad idea?


----------



## SirDice (May 23, 2011)

Malurk said:
			
		

> What kind of files will /usr contain?


See hier(7).



> It would be quite nice if I could boot up without opening the encrypted drives, and then login via ssh and open them. Is this possible? That is can you boot and get an ssh server running without /home, /var and /tmp?


It might be possible but you won't be able to login because /home/ is not accessable.

Why don't you just create a seperate encrypted filesystem and mount it under your home directory when you need it?


----------



## Malurk (May 23, 2011)

That would be simpler, yes. But I think that there is a risk that traces of confidential data will end up in /tmp and /var. Also, things like bash_history will not be encrypted.


----------



## bbzz (May 24, 2011)

But, if you are doing something that you want to potentially hide (such as encrypting what you type), isn't it logical to want to hide tools that you use? You are already encrypting most of the stuff, why bother leaving something out. You won't really feel a difference in performance.


----------



## Malurk (May 24, 2011)

Yes, whole disk encryption is probably the best solution. Just wanted to see if there is a way to boot without password and then open things up over ssh, but I can see that it would be difficult.


----------



## Zare (May 24, 2011)

Use a board with IPMI. Or use some thin device that you can SSH into always, with serial interconnection to your main computer.


----------

