Re: cgd + lvm

[Alan Barrett <apb%cequrux.com@localhost>]

On Tue, 12 Jan 2010, Charlie wrote:
> What I would like to see is to have a small '/boot' that contains the
> kernel and startup utilities to be booted from and then to encrypt the
> entire root filesystem.

You can get something almost like that using the chroot mechanism built
in to init(8), but you have to work out many details yourself, including
writing your own customised /etc/rc in the outer unencrypted file
system.

You need a small unencrypted outer root file system, and a large
encrypted inner chroot file system.  Have a complete NetBSD installation
in the inner encrypted file system, configured in such a way as to think
that the encrypted file system is the root file system (but that it does
not need to be mounted or fscked).  Have a customised outer /etc/rc in
the unencrypted file system, which will mount and fsck the encrypted
inner file system, set the init.root sysctl variable, and exit (without
doing most of the things that a normal /etc/rc would do); then init(8)
will run everything else (including the inner /etc/rc fron the encrypted
file system) inside a chroot(2) that makes the encrypted file system
appear to be the root file system

Today, I keep my unencrypted outer file system in a ramdisk image in a
kernel module (a customised miniroot.kmod) which is loaded by the boot
loader, but in the past I have kept it in a normal ffs file system.

--apb (Alan Barrett)