Re: fresh install, encrypt as much as possible

[Jan Danielsson <jan.m.danielsson%gmail.com@localhost>]

On 26/05/15 08:17, scar wrote:
> According the guide for cgd, i need to "leave at least the small root
> (/) filesystem unencrypted, in order to load the kernel and run init,
> cgdconfig and the rc.d scripts that configure your cgd."  What is the
> "small root filesystem" that i need to leave unencrypted?

   I used to use a technique where one uses the sysctl "init.chroot" to
switch root from a root loaded into a memorydisk to a root on cgd.

   The procedure is roughly this:
   1) Boot from a memory stick/cd which creates root on a memory disk.
   2) The startup scripts in the system on the memory disk configures a
cgd-device on the drive where your root on your "permanent storage" in
your computer resides, and then mounts it in something like /cgdroot.
   3) The startup script uses sysctl to "init.chroot" to switch root to
/cgdroot.
   4) The startup resumes from inside the cgd system.

   I was using this for a long time, but when I moved to NetBSD/amd64 I
ran into a bug which caused me to have to abandon that type of
configuration.


   Leaving a small unencrypted part of your harddrive for the boot code
and the kernel would, to me, be one of the things you're trying to get
away from when using an encrypted root for your operating system.  (See
Evil Maid attack).


   I have some old patches which configures a cgd device for root in
kernel before launching init.  It avoids all the messiness of switching
root.  Apart from installing the base OS in a cgd, one sets up a
bootable USB memory stick with a kernel and an appropriate boot.cfg.


   Having the "first root" on a memory disk, or not having the
init.chroot occuring at all, is that once the kernel is loaded you can
pull out the boot media leaving the machine unbootable by an untrusted
party.


-- 
Kind Regards,
Jan