# full disk encryption understood by both windows and FreeBSD



## pacija (Dec 3, 2012)

I am forced to use Windows/FreeBSD dual boot on my laptop. I need to share sensitive files between the two OSes, and I use SD card for this. At this moment I have keepass/keepassx database file on it, which is encrypted from within the application. However, I would like to put some other files (certificates, ssh keys etc.) onto it, which are not encrypted.

Now, is there a way to encrypt whole SD card in a way that it could be mounted from both OSes?

Thank you in advance,


----------



## ondra_knezour (Dec 3, 2012)

security/truecrypt comes on mind, but I never tried it personally.


----------



## fonz (Dec 3, 2012)

ondra_knezour said:
			
		

> pacija said:
> 
> 
> 
> ...


In fact, last time I checked TrueCrypt was the *only* encryption system at disk/partition/filesystem level that worked with both OSes.

Fonz

P.S. @Moderators: Perhaps this thread belongs in Storage rather than General.


----------



## marwis (Dec 3, 2012)

pacija said:
			
		

> I need to share sensitive files between the two OSes, and I use SD card for this. [...] I would like to put some other files (certificates, ssh keys etc.) onto it, which are not encrypted.


Full disk encryption prevents the data from being read from the "outside", e.g. if your SD card is lost/stolen it cannot be read without the decryption password.

Full disk encryption does *not* prevent a malicious application from reading the data, e.g. a virus stealing your SSH keys.

Since you are planning to share the sensitive data also with Windows operating system which is targetted heavily by malicious application writers, I recommend to protect the SSH keys with a strong passphrase that could be itself stored in the security/keepassx database.


----------



## fonz (Dec 3, 2012)

marwis said:
			
		

> Full disk encryption prevents the data to be read from the "outside", e.g. if your SD card is lost/stolen it cannot be read without the decryption password.
> 
> Full disk encryption does *not* prevent a malicious application from reading the data, e.g. a virus stealing your SSH keys.


Good point indeed. Once your SD card has been "attached" (or whatever TrueCrypt calls it) and mounted, the files on it are no longer safe, unless you use additional means of protection  (e.g. KeePass(X) or GnuPG or something) as well.

Fonz


----------



## ondra_knezour (Dec 3, 2012)

However once are keys or other security sensitive informations in memory, they can be relative easily read/manipulated with physical access to machine, see DMA Attacks for example. Only HW security device which works like blackbox and never allow stored keys to leave it can be considered secure up to some level.


----------



## pacija (Dec 3, 2012)

I will try truecrypt and share my experience in a few days.

Actually I use windows for two things:

Play Heroes of Might and Magic III online
Web Apps that work only with ActiveX

So, while waiting for my turn in my favourite retro turn-based strategy I like to post on forums, listen to lectures on openlearning.com, login over ssh to my servers on the Internet, manipulate my databases with phpmyadmin, moderate my concrete5 and wordpress sites. For all these I need my keepass/keepassx password database, ssh keys and more.

I know truecrypt setup will not be hack-proof but at least it will be better than have this SD card totally unencrypted.


----------



## Beeblebrox (Dec 3, 2012)

*Use Wine*

Why aren't you using emulators/wine, a windows emulator? If you want a package-management front-end there is additionally emulators/wine-doors.

Wine comes with an InternetExplorer and you can install any type of "add-on" you want, including activex. So that takes care of your activex sites.

For the game, you can search the wine website but just some examples:
http://appdb.winehq.org/objectManager.php?sClass=version&iId=2628&iTestingId=38278
http://appdb.winehq.org/objectManager.php?sClass=application&iId=394

OR, you can add playonlinux from source (if you know how to) like this. If you use flash on FreeBSD, you already have emulators/linux_base-f10 installed and might get the bright idea of installing playonlinux in the linux emulator layer but that is a lot more complicated - so no point.

The advantage here is that you can remove dual booting, forget windows updates, switch the whole HDD to ZFS (thus native ZFS encryption), and who knows what else.

P.S. If your system is 64 bit, then the wine port will not work. However there is another solution for 64bit systems - so advise 32/64 compatibility.


----------



## jwele (Dec 3, 2012)

pacija said:
			
		

> I will try truecrypt and share my experience in a few days.
> 
> Actually I use windows for two things:
> 
> ...



Please do tell me how truecrypt works for you I was also thinking about trying it on my desktop computer.


----------



## pacija (Dec 4, 2012)

I am giving up after trying first device mode, and file mode afterwards. In both cases I had problems with unmounting /dev/fuse0 which was mounted on /tmp/.truecrypt_aux_mnt1 because of device being busy. After all it is probably officially unsupported on FreeBSD for a reason.


----------



## wblock@ (Dec 4, 2012)

Use fstat(1) or lsof(8) to see what has a directory in use.  I had that problem with devel/gamin, used with xfce for detecting file changes.  http://people.gnome.org/~veillard/gamin/config.html shows the config options.  In /usr/local/etc/gamin/gaminrc, I set it to poll my home directory.


----------



## pacija (Dec 5, 2012)

I also use xfce with ck-launch-session and dbus-launch. I already have ~/.gaminrc:

```
notify /private/*
```
/private is my geli encrypted volume.
Shouldn't notify line be enough? Or do  I need to set also poll and fsset?


----------



## wblock@ (Dec 5, 2012)

I had to set poll to get it to not lock the directory.  Although, come to think of it, it does not show changes at all now until a user refresh is done (F5 for the desktop).  Maybe that fsset also needs to be set to give a poll time.


----------



## FBSD (Dec 7, 2012)

I've used GnuPG (OpenPGP based), but you could also consider creating an encrypted 7-zip data file on your card.


----------



## Zare (Dec 7, 2012)

pacija said:
			
		

> I will try truecrypt and share my experience in a few days.
> 
> Actually I use windows for two things:
> 
> ...



HOMM3 works with Wine. Regarding IE/ActiveX on Wine, I've ran into some problems with HTTPS. In any case, both should work on VirtualBox hosting Windows XP, confirmed, I had a XP installation under VirtualBox on FreeBSD 8 on Core Duo (2x2 GHz, 4 GB RAM, Radeon 4650) 3 years ago and it worked without any problems - HOMM3, Office, IE/ActiveX, and some other software. Try it.

Keep in mind that hosting disks of virtual guest on GELI encrypted medium will reduce virtual guests' performance significantly, if you aren't using hardware acceleration. Check if your CPU supports AES-NI.


----------

