Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Full Disk Encryption with cgd (well, almost)

On Thu, Mar 21, 2013 at 03:01:55AM +0100, Pierre Pronchery wrote:
|I have just managed to prototype a way to achieve (almost) full disk
|encryption with cgd. I have tried to implement this while altering the
|least amount of existing code and infrastructure that I could.

heh - I've been working on something similar over the last week and was
looking to announce it in the next day or so ... looks like we should
compare notes ... :)

a few major differences - I'm not that familiar with the build
infrastructure so I've just created a basic external script to drive the
existing and unpack various set tarballs to create a bootable
cd9660 image with the cgd details on it. I'd been tinkering with
splitting /etc/rc execution into pre-cgd and post-cgd but hadn't gotten
to that detail, so in my setup /etc/rc.conf for the host lives on the
cd image and the cgd fs is mounted at /crypt - I can live with having
to rebuild the cd filesystem if I want to change /etc/rc.conf for the

I initially tried putting just base.tgz and etc.tgz into the cd image
and then using a single union mount to put the modifiable crypt
filesystem over the top of / but found that this didn't work as the
union mount system complained they weren't distinct paths.

I then changed this to union mount just the individual filesystmes I
wanted to work with and this is more promising. I did find however
that attempts to modify files that weren't in the upper layer but were
present in a read-only lower layer tended to fail with permission errors
until they were forcibly copied to the upper layer which was very

I still haven't tracked down some errors that postfix was complaining
about with creating an exclusive lock file, but I suspect this is a
side-effect of using union mounts: my current thinking is to scrap union
mounts altogether and just go with full mounts which I was working on
when I got your message ... :)

I'll have a look and see what I can use from your approach and we might
meet in the middle ... my script is in a little too much in flux to put
out there at the moment, but I hope to have it ready for consumption


Malcolm Herbert                                This brain intentionally                                                left 

Attachment: pgpnV43lZKWqW.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index