# Filesystem Encryption in a Server



## nabioullinr (Jun 15, 2010)

I am unsure how to best implement filesystem encryption in a server, since the passphrase must be supplied at boot (I do not have a console server nor would I be available all the time) and obviously an adversary has much more efficacious methods of recovering data from a running server.
Any ideas? Of course, I will set up onetime (temporary key) geli encryption+authentication for swap and /tmp, but I'm unsure how to encrypt user data.


----------



## graudeejs (Jun 15, 2010)

geli(8)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html

http://forums.freebsd.org/showthread.php?t=12503


----------



## nabioullinr (Jun 16, 2010)

For some reason the swap partition halved in size after enabling geli AES-256 and HMAC/SHA256: ``geli list'' displays the provider as 2.5G and the consumer as 5G. Is this due to SHA overhead?

I have the following configuration in rc.conf:

```
geli_swap_flags="-a HMAC/SHA256 -l 256
```


----------



## graudeejs (Jun 16, 2010)

Probably
You don't need SHA for swap (at least I don't see point of using it, unless you just want to make things slower)


----------



## nabioullinr (Jun 16, 2010)

So no authentication at all is useful for swap? What about /tmp?


----------



## graudeejs (Jun 16, 2010)

On swap you don't keep files, you you can consider swap as additional RAM [which is way slower, but can be helpful sometimes]

you can created tempfs and mount it on /tmp [need to edit rc.conf]
it will be created everytime you boot, and most data will live in ram or swap [depending on ram usage] while system is running


----------



## graudeejs (Jun 16, 2010)

It all depends what are you going to do, and can you live IF some corruptions occur


----------

