On Thu, Mar 21, 2013 at 03:01:55AM +0100, Pierre Pronchery wrote: |I have just managed to prototype a way to achieve (almost) full disk |encryption with cgd. I have tried to implement this while altering the |least amount of existing code and infrastructure that I could. heh - I've been working on something similar over the last week and was looking to announce it in the next day or so ... looks like we should compare notes ... :) a few major differences - I'm not that familiar with the build infrastructure so I've just created a basic external script to drive the existing build.sh and unpack various set tarballs to create a bootable cd9660 image with the cgd details on it. I'd been tinkering with splitting /etc/rc execution into pre-cgd and post-cgd but hadn't gotten to that detail, so in my setup /etc/rc.conf for the host lives on the cd image and the cgd fs is mounted at /crypt - I can live with having to rebuild the cd filesystem if I want to change /etc/rc.conf for the moment I initially tried putting just base.tgz and etc.tgz into the cd image and then using a single union mount to put the modifiable crypt filesystem over the top of / but found that this didn't work as the union mount system complained they weren't distinct paths. I then changed this to union mount just the individual filesystmes I wanted to work with and this is more promising. I did find however that attempts to modify files that weren't in the upper layer but were present in a read-only lower layer tended to fail with permission errors until they were forcibly copied to the upper layer which was very annoying I still haven't tracked down some errors that postfix was complaining about with creating an exclusive lock file, but I suspect this is a side-effect of using union mounts: my current thinking is to scrap union mounts altogether and just go with full mounts which I was working on when I got your message ... :) I'll have a look and see what I can use from your approach and we might meet in the middle ... my script is in a little too much in flux to put out there at the moment, but I hope to have it ready for consumption soon Regards, Malcolm -- Malcolm Herbert This brain intentionally mjch%mjch.net@localhost left blank
Attachment:
pgpnV43lZKWqW.pgp
Description: PGP signature