# Great System



## Deleted member 60479 (Nov 21, 2020)

This is a great operating system. Thank you.
I'm very impressed by the ability to automatically mount geli encrypted backup disks at boot.
And it's free (I know it's not free but anyway). Thank you, all.


----------



## ShelLuser (Nov 22, 2020)

jackson said:


> I'm ery impressed by the ability to automatically mount geli encrypted backup disks at boot.


Keep in mind that such a setup doesn't protect your system _at all_. If your server gets stolen then people can simply boot it, and the encryption layer has no further effect on the active system.


----------



## Deleted member 60479 (Nov 22, 2020)

Sorry I don't follow you. My OS is geli encrypted and so is my backup disk


----------



## Deleted member 60479 (Nov 22, 2020)

There's always time to shut your baby down


----------



## fernandel (Nov 22, 2020)

Helpful site:
https://vez.mrsk.me/freebsd-defaults.html


----------



## ralphbsz (Nov 23, 2020)

jackson said:


> Sorry I don't follow you. My OS is geli encrypted and so is my backup disk


Where does the password or encryption key or passphrase come from?

If you have to manually enter it (you sit there at a keyboard and type it after boot), then your system is secure against someone stealing the computer and booting it. Unless they are capable of guessing the password, or torturing you. I think that's called a "rubber hose attack" among security people: the attacker hits you with rubber hoses until you enter the password.

If you don't have to enter the password and the file systems automatically open up when booting, then a thief just has to steal the computer, plug it in, and they have all the data.

And either way: while the system is running, your data is not protected against a hacker who comes in over the network.

Note: I'm not saying that encrypting disks is useless. On the contrary, it is a good starting point, my laptops all have encrypted disks (and I have to type in my password to open them up, that has been the case since about 2001), and the one external disk that leaves the house is encrypted with manual password entry. But encrypting your disks is only a starting point on your security voyage (there is some line from "Lord of the rings" about a long trip starting with a first step or something like that). If you are interested in security, you might want to also think about other aspects of it. Just as an example: I had the pleasure of working with people whose computers have absolutely no connection to the outside world, no cell phones or USB sticks can be brought into the computer room unless first checked over by the security staff, and every sys admin has an assault rifle on their back when working. These people were very secure.


----------



## Deleted member 60479 (Nov 23, 2020)

ralphbsz said:


> Just as an example: I had the pleasure of working with people whose computers have absolutely no connection to the outside world, no cell phones or USB sticks can be brought into the computer room unless first checked over by the security staff, and every sys admin has an assault rifle on their back when working. These people were very secure.


Those are my kind of guys 



ralphbsz said:


> If you have to manually enter it (you sit there at a keyboard and type it after boot), then your system is secure against someone stealing the computer and booting it.


That's my setup



ralphbsz said:


> Unless they are capable of guessing the password, or torturing you


They're able to torture me. The key is inside my head. I guess the only real protection against a key in your head is a key-file that cannot be stolen aka sys-admin w/ a rifle on his back.


----------

