[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Full Disk Encryption with cgd (well, almost)
On Fri, 22 Mar 2013 00:11:35 +0100, Rhialto wrote:
> Is there any particular reason why cgdconfig and /etc/rc are in a
> ramdisk, rather than in the unencrypted /dev/wd0a? A ramdisk makes it so
> much more complicated to update stuff, but it offers no security anyway
> since it is unencrypted itself.
yes, the point is to keep it as generic as likely, without making any
assumption on the actual boot device. The aim is to get 100% of the disk
encrypted at some point, which can already be the case when booting from
a USB memory stick for instance.
As Thor mentioned, it is then simpler to get these two files signed by
the hardware (if supported). They can even be merged into a single file
if desired or required.
As for updating stuff, integrating this within the source tree using the
existing build infrastructure makes it trivial to update. Booting
manually is rather simple as well (a load + a boot command) and allows
booting backup versions easily if required.
Main Index |
Thread Index |